b"                           SOCIAL SECURITY\n                                     June 29, 2009\n\n\nThe Honorable Max Baucus\nChairman\nCommittee on Finance\nUnited States Senate\nWashington, D.C. 20510\n\nDear Senator Baucus:\n\nYour February 18, 2009 letter co-signed by Senator Grassley requested our assistance\nin evaluating the Social Security Administration\xe2\x80\x99s (SSA) response to the Lockheed\nMartin study of the National Computer Center and SSA's efforts to strategically address\nfuture information system needs. Specifically, we were requested to assess the\nAgency\xe2\x80\x99s overall future information system plans and provide the following information.\n\n1. Has the Agency adequately developed a comprehensive Agency Information\n   Infrastructure Plan that is designed to meet potential processing needs for the next\n   20 years and allows the Agency to recover quickly if one or more major components\n   of its processing infrastructure fails or is destroyed?\n\n2. Has the Agency obtained information on industry best practices of other data\n   infrastructure systems of similar scope in terms of design, geographic location and\n   redundancy, and has this information guided their decisions for information systems\n   planning?\n\n3. What steps is the Agency taking to prevent the current situation that plagues the\n   NCC from recurring?\n\n4. Determine the process and criteria being used by SSA to identify a new location for\n   the NCC and the risks and benefits of that process and criteria.\n\nI appreciate the opportunity to share our insights on these important matters and am\npleased to provide you the enclosed report, which addresses your specific questions.\nTo ensure SSA is aware of the information provided to your office, we are forwarding a\ncopy of this report to the Agency. Also, I have sent a similar response to Senator\nGrassley.\n\n\n\n\n           SOCIAL SECURITY ADMINISTRATION         BALTIMORE MD 21235-0001\n\x0cPage 2 - The Honorable Max Baucus\n\n\nIf you have any questions concerning this matter, please call me at (410) 965-7427 or\nhave your staff contact Wade Walters, Assistant Inspector General for External\nRelations, at (410) 594-2176.\n\n                                               Sincerely,\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                               Inspector General\n\nEnclosure\n\ncc:\nMichael J. Astrue\n\x0c                           SOCIAL SECURITY\n                                     June 29, 2009\n\n\nThe Honorable Charles Grassley\nRanking Member\nCommittee on Finance\nUnited States Senate\nWashington, D.C. 20510\n\nDear Senator Grassley:\n\nYour February 18, 2009 letter co-signed by Senator Baucus requested our assistance in\nevaluating the Social Security Administration\xe2\x80\x99s (SSA) response to the Lockheed\nMartin study of the National Computer Center and SSA's efforts to strategically address\nfuture information system needs. Specifically, we were requested to assess the\nAgency\xe2\x80\x99s overall future information system plans and provide the following information.\n\n1. Has the Agency adequately developed a comprehensive Agency Information\n   Infrastructure Plan that is designed to meet potential processing needs for the next\n   20 years and allows the Agency to recover quickly if one or more major components\n   of its processing infrastructure fails or is destroyed?\n\n2. Has the Agency obtained information on industry best practices of other data\n   infrastructure systems of similar scope in terms of design, geographic location and\n   redundancy, and has this information guided their decisions for information systems\n   planning?\n\n3. What steps is the Agency taking to prevent the current situation that plagues the\n   NCC from recurring?\n\n4. Determine the process and criteria being used by SSA to identify a new location for\n   the NCC and the risks and benefits of that process and criteria.\n\nI appreciate the opportunity to share our insights on these important matters and am\npleased to provide you the enclosed report, which addresses your specific questions.\nTo ensure SSA is aware of the information provided to your office, we are forwarding a\ncopy of this report to the Agency. Also, I have sent a similar response to Senator\nBaucus.\n\n\n\n\n           SOCIAL SECURITY ADMINISTRATION         BALTIMORE MD 21235-0001\n\x0cPage 2 - The Honorable Charles Grassley\n\n\nIf you have any questions concerning this matter, please call me at (410) 965-7427 or\nhave your staff contact Wade Walters, Assistant Inspector General for External\nRelations, at (410) 594-2176.\n\n                                               Sincerely,\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                               Inspector General\n\nEnclosure\n\ncc:\nMichael J. Astrue\n\x0c CONGRESSIONAL RESPONSE\n        REPORT\n\n\nThe Social Security Administration\xe2\x80\x99s Information\n        Technology Strategic Planning\n\n                A-44-09-29120\n\n\n\n\n                   June 2009\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                               Executive Summary\nOBJECTIVE\nOur objective was to review the Social Security Administration\xe2\x80\x99s (SSA) plan to address\nits processing requirements 5 to 20 years in the future and what actions SSA has taken\nto meet those requirements. Specifically, we addressed a congressional inquiry\nconcerning the Agency\xe2\x80\x99s information technology (IT) strategic planning, disaster\nrecovery, industry best practices, National Computer Center (NCC) infrastructure\nissues, and NCC replacement strategy.\n\nBACKGROUND\nIn a February 18, 2009 letter co-signed by Senators Max Baucus and Charles Grassley,\nwe were requested to assess the Agency\xe2\x80\x99s overall future information system plans.\nSpecifically, we were requested to provide the following information.\n\n1. Has the Agency adequately developed a comprehensive Agency Information\n   Infrastructure Plan that is designed to meet potential processing needs for the next\n   20 years and allows the Agency to recover quickly if one or more major components\n   of its processing infrastructure fails or is destroyed?\n\n2. Has the Agency obtained information on industry best practices of other data\n   infrastructure systems of similar scope in terms of design, geographic location and\n   redundancy, and has this information guided their decisions for information systems\n   planning?\n\n3. What steps is the Agency taking to prevent the current situation that plagues the\n   NCC from recurring?\n\n4. Determine the process and criteria being used by SSA to identify a new location for\n   the NCC and the risks and benefits of that process and criteria.\n\nAlso, as a follow up to our report, The Social Security Administration\xe2\x80\x99s Ability to Address\nFuture Processing Requirements (A-44-09-19098), we updated the status of the\nAgency\xe2\x80\x99s efforts to address the significant issues identified in Lockheed Martin\xe2\x80\x99s (LM)\nNCC Feasibility Study.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                           i\n\x0cRESULTS OF REVIEW\nOur review of SSA\xe2\x80\x99s IT strategic planning process and related documents found the\nfollowing.\n\n1. SSA did not have a comprehensive Agency Information Infrastructure Plan to meet\n   potential processing needs for the next 20 years and that would allow the Agency to\n   recover quickly if one or more major components of its processing infrastructure fails\n   or is destroyed.\n\n   a. SSA has various IT strategic planning documents, but similar to other Federal\n      agencies, they do not span 20 years. We found there was no requirement for\n      SSA to have an Agency Information Infrastructure Plan that spans 20 years.\n   b. SSA\xe2\x80\x99s IT strategic planning documents are task-oriented in nature and need to\n      be more strategic.\n   c. SSA has an IT planning process, but the process is decentralized. SSA officials\n      stated, \xe2\x80\x9cWe agree that we need to strengthen our IT strategic planning process.\n      We will address some of the concerns raised in the report with the release of the\n      2009-2014 IRM Strategic Plan. We do not agree that our decentralized IT\n      planning process is undesirable, but we can make improvement in coordination,\n      communication, and integration.\xe2\x80\x9d\n   d. SSA has a disaster recovery plan if the NCC becomes unavailable. However,\n      the Agency\xe2\x80\x99s current recovery plan depends heavily on the availability of a\n      contracted facility, and it will take approximately 10 days to recover the systems\n      required to perform the Agency\xe2\x80\x99s essential functions.\n\n2. SSA obtained information on industry best practices regarding data infrastructure\n   systems by consulting with IT research firms. SSA consulted with these firms\n   regarding such topics as Data Center outsourcing; Data Center staffing;\n   management characteristics of effective Data Centers; next generation Data Center\n   design; predicted infrastructure usage and upcoming technology; and infrastructure\n   optimization. SSA management stated the Agency does not follow specific industry\n   best practice documents, but its IT planning is based on experience and the best\n   information available at the time. Moreover, SSA management stated that industry\n   best practices were used in developing the Agency\xe2\x80\x99s NCC replacement strategy.\n   Although SSA management stated it uses the best available information when IT\n   decisions are made, to date, we have been unable to obtain detailed cost estimates\n   for all viable alternatives identified by LM in its NCC Feasibility Study.\n\n3. SSA has taken the following steps to prevent the current situation that plagues the\n   NCC from recurring.\n\n   a. SSA has initiated or completed projects recommended by LM to sustain existing\n      operations at the NCC. Nonetheless, we believe the Agency should have taken\n      action sooner because SSA and the General Services Administration (GSA)\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                            ii\n\x0c        knew about some of the recurring issues at the NCC and Utility Building since\n        1989. Further, we believe the criticality of the building should be given a greater\n        weight than the age of the building in determining whether a building is selected\n        for renovation. SSA officials stated, \xe2\x80\x9cWe disagree; we took action and funded\n        significant projects to sustain the building.\xe2\x80\x9d\n    b. SSA reported the new NCC is being designed in accordance with the Uptime\n       Institute\xe2\x80\x99s Tier III Data Center standards. These standards provide redundancy\n       to mechanical and electrical infrastructure systems. Tier III facilities have\n       redundant capacity that allows for any planned site infrastructure maintenance\n       and activities without disrupting the computer hardware operation. 1 (See\n       Appendix H for the Uptime Institute\xe2\x80\x99s Tier Standards). The new Data Center will\n       be designed to meet the Agency\xe2\x80\x99s known infrastructure capacity needs based on\n       anticipated trends and with the redundancy and flexibility for future modification\n       and expansion without disruption to operations.\n\n    c. SSA will continue to perform preventive maintenance activities at the NCC.\n\n    In another OIG report, we noted that although the NCC concerns were not\n    specifically considered as a part of the Durham Support Center (DSC) planning\n    process, the DSC was designed and built to minimize the likelihood that the physical\n    concerns identified at the NCC will be repeated. 2 SSA should use a similar\n    approach to prevent the new Data Center from encountering similar problems that\n    occurred at the NCC over time.\n\n4. In 2007, SSA commissioned the LM NCC Feasibility Study to identify infrastructure\n   and data processing capacity issues. In 2008, LM completed its study and\n   recommended 17 projects that SSA should undertake to sustain existing IT\n   operations through the end of Calendar Year 2014. In addition, LM recommended\n   SSA construct a new Data Center apart from SSA\xe2\x80\x99s campus in Woodlawn,\n   Maryland. 3\n\n\n\n\n1\n  Planned activities include preventive and programmable maintenance, repair and replacement of\ncomponents, addition or removal of capacity components, and testing of components and systems. For\nlarge sites using chilled water, this means two independent sets of pipes. Sufficient capacity and\ndistribution must be available to simultaneously carry the load on one path while performing maintenance\nor testing on the other path. Unplanned activities, such as errors in operation or spontaneous failures of\nfacility infrastructure components, will still cause a Data Center disruption.\n2\n SSA OIG, Processing Capacity of the Social Security Administration\xe2\x80\x99s Durham Support Center\n(A-14-09-19100).\n\n3\n The preferred alternative identified in the LM Feasibility Study was to Build/Lease a New NCC Data\nCenter with Utility Infrastructure Off Campus.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                         iii\n\x0c      Based on LM\xe2\x80\x99s recommendation, SSA decided to build a new Data Center 4\n      off-campus. The American Recovery and Reinvestment Act of 2009 (ARRA)\n      provided SSA $500 million to replace the NCC. SSA\xe2\x80\x99s ARRA plan states that\n      Agency staff is working closely with GSA and will participate in the design and\n      construction of the new Data Center. SSA developed minimum requirements for the\n      location of its new Data Center. However, the Agency is still in the preliminary\n      stages of the project, and GSA is not yet soliciting for construction sites. Detailed\n      information is procurement-sensitive and will not be released publicly until GSA\n      issues the formal solicitation.\n\n      SSA estimates it will cost approximately $750 million 5 for the facilities and\n      equipment for the new Data Center. The Agency anticipates the new Data Center to\n      be substantially completed by October 2013. Further, it expects to occupy the new\n      Data Center in January 2014. However, this date is before any IT equipment is\n      installed. A November 2008 Gartner report 6 showed the average cost of building an\n      8,000 square foot Tier III Data Center was approximately $20.51 million ($2,564 per\n      square foot). 7 The Agency plans to build a 247,000 gross square foot Data Center.\n      Using the Gartner report as a baseline, the new Data Center would cost\n      approximately $633.4 million. We recognize that the Gartner report may not be\n      directly comparable to the Agency\xe2\x80\x99s current cost data for its new Data Center.\n      Nevertheless, without independently verifiable detailed cost estimates for the new\n      Data Center, the Agency\xe2\x80\x99s estimates remain problematic. SSA officials stated, \xe2\x80\x9cWe\n      disagree; we base our estimate along with the GSA\xe2\x80\x99s estimate on the recommended\n      program elements of the EYP study.\xe2\x80\x9d 8 Further, SSA officials stated, \xe2\x80\x9cThe\n      247,000 gross square footage includes non-computer space. If you apply the\n\n\n\n4\n Although the new Data Center is commonly referred to as the National Support Center, as of March\n2009, the Data Center had not yet been officially named by the Commissioner.\n5\n  Based on estimates of SSA\xe2\x80\x99s spending for the construction of the new Data Center, funds will be\nreleased in FY 2010 for research and studies to procure the land, funds will be released in FY 2011 to\ndesign and construct the facility, and funds are being reserved for FY 2012 to purchase IT services and IT\nstart-up equipment. Additionally, GSA and SSA are discussing the possibility of using funds to acquire IT\nconsultant assistance for the planning process and to accelerate the schedule for site related services in\nFY 2009. On April 1, 2009, GSA awarded a contract to Jacobs, a construction management firm, who is\nresponsible for preparing the detailed Program of Requirements (scope of work) with GSA and SSA\nproject team members.\n\n6\n    Data Center Availability: Tier Design Costs and Benefits Can Vary Greatly, November 12, 2008.\n7\n    This includes the estimated costs of construction and does not include ongoing operational costs.\n\n8\n Feasibility Study for the Social Security Administration National Services Center Data Center Facility,\nJanuary 16, 2009. The following agencies and firms participated in the GSA study: (1) SSA, (2) GSA\nRegion 3, (3) Oudens Knoop Knoop + Sachs Architects (Architect), (4) HP Critical Facilities Services,\ndelivered by EYP MCF (Data Center Expert), and (5) Project Management Services Incorporated (Cost\nConsultant).\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                            iv\n\x0c     Gartner estimate only to computer space in the new Data Center then the numbers\n     would be in alignment.\xe2\x80\x9d\n\n     Further, based on SSA\xe2\x80\x99s prior large construction and renovation projects and\n     Gartner\xe2\x80\x99s November 2008 report, we believe it is unlikely the current estimated\n     schedule and costs related to the new Data Center will be met. SSA needs to\n     reconcile these numbers and explain why there is a discrepancy.\n\nCONCLUSION\nBecause SSA\xe2\x80\x99s IT systems are critical to meeting its mission and goals and that mission\nimpacts the lives of nearly all Americans, it is imperative that the Agency have a clear IT\nvision that anticipates its future needs. Further, SSA\xe2\x80\x99s current IT strategic plans are\nshort-term, tactical plans that do not provide a detailed description of how the Agency\nintends to address its IT processing needs 10 to 20 years into the future. We believe,\nas SSA progresses on implementing solutions to address its IT processing\nrequirements, it needs to have a more strategic and integrated approach to its IT\nplanning efforts.\n\nAlthough the Agency has decided to construct a new Data Center and Utility Building off\ncampus, we were unable to determine whether this is the best use of taxpayer dollars\nbecause we have not been provided detailed cost estimates for all alternatives for\nreplacing the NCC and its Utility Building.\n\nTo date, we have received three reports containing cost-related data. 9 However,\naccording to SSA, LM\xe2\x80\x99s estimates were very preliminary and the focus of the LM study\nwas to determine the condition of the facility and to determine whether there was a need\nfor a new Data Center. It was not intended to be a cost estimate. SSA added that the\nGSA study was a follow-on to the LM study and its purpose was to define square\nfootage needs which were used for cost estimation purposes in the Agency\xe2\x80\x99s budget.\nFurther, SSA stated that the BAH Alternative Analysis was not a construction cost\nestimate, was based on the GSA study cost estimates and only calculated life-cycle\ncosts of the building for the sole purpose of determining the return on investment to the\nGovernment. According to SSA, it is not a construction cost estimate.\n\nThe Government Accountability Office (GAO) published a guide on best practices for\ndeveloping and managing capital program cost. 10 In its guide, GAO defines the basic\ncharacteristics for credible cost estimates and a reliable process for creating them. We\n\n9\n  (1) Lockheed Martin's Final Feasibility Study, February 8, 2008; (2) General Services Administration's\nFeasibility Study for the Social Security Administration National Services Center Data Center Facility,\nJanuary 16, 2009; and (3) Booz Allen Hamilton's SSA National Computer Center Alternatives Analysis,\nJanuary 29, 2009 (updated February 18, 2009).\n\n10\n  GAO Cost Estimating and Assessment Guide, Best Practices for Developing and Managing Capital\nProgram Costs, March 2009.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                            v\n\x0chave solicited for a contractor to evaluate SSA\xe2\x80\x99s process for selecting the replacement\nstrategy for the NCC, including the cost estimates for the various alternatives and the\nuse of industry best practices.\n\nAs reliance on electronic processing and technology grows and the Agency\xe2\x80\x99s workload\nincreases, so does the need to ensure SSA\xe2\x80\x99s IT infrastructure is designed to meet\nfuture needs. SSA needs to focus its efforts on (1) strengthening its IT strategic\nplanning process and related documents; (2) identifying ways to accelerate planning,\nconstructing and operating the new Data Center; (3) developing contingency plans for\naddressing its IT processing requirements and disaster recovery procedures in the\nevent the DSC and/or the new Data Center are not operational within the scheduled\ntime frames; (4) using industry best practices to aid in its IT strategic planning; and\n(5) establishing controls and a detailed strategy for timely maintenance, repairs,\nupgrades and replacement of critical IT infrastructure in the new Data Center to prevent\nthe current situation at the NCC from recurring.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                           vi\n\x0c                                                                         Table of Contents\n                                                                                                                    Page\n\nBACKGROUND ......................................................................................................1\n\nRESULTS OF REVIEW ..........................................................................................2\n\nQuestion 1..............................................................................................................2\n\n    SSA\xe2\x80\x99s IT Strategic Planning Process .................................................................2\n\n    SSA\xe2\x80\x99s IT Strategic Planning Documents............................................................4\n\n    Disaster Recovery..............................................................................................6\n\nQuestion 2..............................................................................................................8\n\nQuestion 3 .............................................................................................................9\n\n    NCC and Utility Building...................................................................................10\n\n    SSA\xe2\x80\x99s Actions to Address Current and Future Infrastructure and\n    Capacity Issues................................................................................................13\n\nQuestion 4............................................................................................................17\n\nCONCLUSIONS................................................................................................... 20\n\nAPPENDICES\n\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Information Technology Planning Process Overview\nAPPENDIX D \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Information Technology Strategic\n             Planning Documents\nAPPENDIX E \xe2\x80\x93 Primary Mission Essential Functions, Mission Essential Functions and\n             Supporting Activities\nAPPENDIX F \xe2\x80\x93 Lockheed Martin Recommendations\nAPPENDIX G \xe2\x80\x93 Recurring Infrastructure Issues at the National Computer Center and its\n             Utility Building\nAPPENDIX H \xe2\x80\x93 Uptime Institute\xe2\x80\x99s Data Center Tier Classifications and Performance\n             Standards\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)\n\x0c                                                                  Background\nOBJECTIVE\nOur objective was to review the Social Security Administration\xe2\x80\x99s (SSA) plan to address\nits processing requirements 5 to 20 years in the future and what actions SSA has taken\nto meet those requirements. Specifically, we addressed a congressional inquiry\nconcerning the Agency\xe2\x80\x99s information technology (IT) strategic planning, disaster\nrecovery, industry best practices, National Computer Center (NCC) infrastructure\nissues, and the NCC replacement strategy.\n\nBACKGROUND\nIn a February 18, 2009 letter co-signed by Senators Max Baucus and Charles Grassley,\nwe were requested to assess the Agency\xe2\x80\x99s overall future information system plans.\nSpecifically, we were requested to provide information on the following.\n\n1. Has the Agency adequately developed a comprehensive Agency Information\n   Infrastructure Plan that is designed to meet potential processing needs for the next\n   20 years and allows the Agency to recover quickly if one or more major components\n   of its processing infrastructure fails or is destroyed?\n\n2. Has the Agency obtained information on industry best practices of other data\n   infrastructure systems of similar scope in terms of design, geographic location and\n   redundancy, and has this information guided their decisions for information systems\n   planning?\n\n3. What steps is the Agency taking to prevent the current situation that plagues the\n   NCC from recurring?\n\n4. Determine the process and criteria being used by SSA to identify a new location for\n   the NCC and the risks and benefits of that process and criteria.\n\nAlso, as a follow up to our report, The Social Security Administration\xe2\x80\x99s Ability to Address\nFuture Processing Requirements (A-44-09-19098), we updated the status of the\nAgency\xe2\x80\x99s efforts to address the significant issues identified in Lockheed Martin\xe2\x80\x99s (LM)\nNCC Feasibility Study. See Appendix B for a detailed discussion of our Scope and\nMethodology.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                           1\n\x0c                                                          Results of Review\nQuestion 1\n\nHas the Agency adequately developed a comprehensive Agency Information\nInfrastructure Plan that is designed to meet potential processing needs for the\nnext 20 years and allows the Agency to recover quickly if one or more major\ncomponents of its processing infrastructure fails or is destroyed?\n\nSSA did not have a comprehensive Agency Information Infrastructure Plan to meet\npotential processing needs for the next 20 years and that would allow the Agency to\nrecover quickly if one or more major components of its processing infrastructure fails or\nis destroyed.\n\na. SSA has various IT strategic planning documents, but similar to other Federal\n   agencies, they do not span 20 years. We found there was no requirement for SSA\n   to have an Agency Information Infrastructure Plan that spans 20 years.\nb. SSA\xe2\x80\x99s IT Strategic Plan documents are task-oriented in nature and need to be more\n   strategic.\nc. SSA has an IT planning process, but the process is decentralized. SSA officials\n   stated, \xe2\x80\x9cWe agree that we need to strengthen our IT strategic planning process. We\n   will address some of the concerns raised in the report with the release of the 2009-\n   2014 IRM Strategic Plan. We do not agree that our decentralized IT planning\n   process is undesirable, but we can make improvement in coordination,\n   communication, and integration.\xe2\x80\x9d\nd. SSA has a disaster recovery plan if the NCC becomes unavailable. However, the\n   Agency\xe2\x80\x99s recovery plan depends heavily on the availability of a contracted facility,\n   and it will take approximately 10 days to recover the systems required to perform the\n   Agency\xe2\x80\x99s essential functions.\n\nSSA\xe2\x80\x99S IT STRATEGIC PLANNING PROCESS\n\nIT strategic planning is vital because it enables an agency to consider the resources,\nincluding staff, infrastructure and funding, that are needed to manage, support and pay\nfor projects. Congress 1 and the Office of Management and Budget (OMB) 2 have\n\n1\n  The Clinger-Cohen Act, 40 United States Code (U.S.C.) \xc2\xa7 11101 et seq., provides a framework for\neffective IT management that includes systems integration planning, human capital management and\ninvestment management. In addition, the Paperwork Reduction Act, Public Law Number (Pub. L. No.)\n104-13, May 22, 1995, 44 U.S.C. \xc2\xa7 3501 et seq., requires that agencies have strategic plans for their\ninformation resource management.\n2\n OMB Circular No. A-130, Management of Federal Information Resources, and Circular No. A-11, Part 7,\nPlanning, Budgeting, Acquisition, and Management of Capital Assets.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                         2\n\x0crecognized the importance of IT strategic planning and management, which describe an\norganization\xe2\x80\x99s goals, the strategies it will use to achieve those goals, and performance\nmeasures. The Government Accountability Office (GAO) has reported that a key\nelement to an agency\xe2\x80\x99s success in modernizing its IT systems is IT strategic planning. 3\nThe Clinger-Cohen Act requires that Federal agencies establish effective and efficient\ncapital planning processes for selecting, managing and evaluating the results of all their\nmajor investments in information systems. 4\n\nAt SSA, most of the IT functions are divided between the Offices of the Chief\nInformation Officer (OCIO) and Deputy Commissioner for Systems (DCS), while the\nInformation Technology Advisory Board (ITAB) approves IT projects. The Office of\nFacilities Management (OFM), under the Deputy Commissioner for Budget, Finance\nand Management, develops the strategic direction of SSA\xe2\x80\x99s space, including the primary\ncomputer center.\n\n       OCIO \xe2\x80\x93 Defines the Agency\xe2\x80\x99s IT vision and strategy through such functions as IT\ncapital planning and investment control, enterprise architecture and electronic\nGovernment initiatives. OCIO also provides advice to ITAB on such topics as IT\nsystems strategies, budgets, investments, and acquisitions. OCIO worked with DCS to\npublish the IT Vision and is responsible for preparing, publishing and maintaining the\nInformation Resources Management (IRM) Strategic Plan.\n\n       DCS \xe2\x80\x93 Responsible for systems acquisition, design, development, testing,\nvalidation, implementation and maintenance. In addition, DCS is responsible for the IT\nplanning and ITAB websites as well as the systems planning and reporting system.\nFurther, DCS oversees and provides Agency-wide support for the IT planning process.\n\n       OFM \xe2\x80\x93 Develops, updates and implements facilities policies. Additionally,\nOFM develops, implements and guides the strategic direction of the Agency\xe2\x80\x99s space as\nwell as building and realty management programs. Further, OFM is responsible for the\ndaily operations, maintenance and repair of SSA's main complex and outlying buildings,\nincluding the NCC and its Utility Building.\n\n      ITAB - The governing body for SSA\xe2\x80\x99s IT planning process 5 and responsible for\ndeveloping the Agency\xe2\x80\x99s IT Plan. ITAB is chaired by the Chief Information Officer, and\nits membership comprises the Deputy Commissioner for SSA, all Deputy\nCommissioners for SSA\xe2\x80\x99s components, and other Agency executives. ITAB reviews a\n\n\n3\n GAO, Social Security Administration, Effective Information Technology Management Essential for Data\nCenter Initiative, GAO-09-662T, April 28, 2009.\n4\n    Pub. L. No. 104-106, Division E, Section 5113(b)(2)(A).\n5\n SSA\xe2\x80\x99s Policies and Procedures for the IT Planning Process, page 5, defines IT planning as the effort to\neffectively and efficiently allocate Agency resources associated with its IT processes.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                            3\n\x0cvariety of SSA\xe2\x80\x99s IT projects, categorized by investment portfolios. 6 Each investment\nportfolio contains a list of IT projects. These projects support one of the strategic\nobjectives in the Agency\xe2\x80\x99s Strategic Plan. Portfolio teams are led by an Agency\nexecutive who functions as the portfolio manager. The portfolio team coordinates with\nstakeholders to prioritize IT projects according to their role in achieving the related\nstrategic objective. After IT projects are prioritized and presented to the ITAB, it must\ndecide how the Agency\xe2\x80\x99s resources will be assigned to the various IT projects. In\nmaking this decision, ITAB considers the portfolio priorities and the related cost-benefit\nanalysis provided by the sponsoring components. Such information includes return on\ninvestment, full-time equivalent savings, dollar savings and cost avoidance. (See\nAppendix C for an overview of SSA\xe2\x80\x99s IT planning process.)\n\nIn testimony before the House Committee on Ways and Means, Subcommittee on\nSocial Security, 7 the Chairman of the Social Security Advisory Board (SSAB)\nsuggested that the state of the Agency\xe2\x80\x99s Data Center operations, in part, is due to\nSSA\xe2\x80\x99s decentralized IT investment process and inadequate long-range planning. The\nChairman stated SSA\xe2\x80\x99s decentralized IT governance process has resulted in a dilution\nof ownership and management of the Agency\xe2\x80\x99s overall IT process. The Agency\xe2\x80\x99s ability\nto deliver public service will increasingly depend on technology and governance of the\nIT process and must have strong leadership that is empowered to make critical\ndecisions and is held accountable for those decisions. SSAB recommended the\nAgency restructure its governance process and centralize overall responsibility for all IT\nprocesses.\n\nWe believe the Agency\xe2\x80\x99s IT strategic planning process could be improved. It is critical\nthat SSA strengthen its IT planning process with a more integrated approach to ensure\nit has a clear IT vision for the future. We believe each component impacted by the\nAgency\xe2\x80\x99s IT strategic plans should have a prominent role in the IT strategic planning\nprocess.\n\nSSA\xe2\x80\x99S IT STRATEGIC PLANNING DOCUMENTS\n\nWe found SSA does not have an Agency Information Infrastructure Plan. However,\nSSA has various IT strategic planning documents including a 2007 IRM Plan, IT Vision\n2009-2014, and Fiscal Year (FY) 2009-2010 Agency IT Plan. Nonetheless, we found\nthese plans generally did not provide a detailed description of how the Agency intends\nto address its future IT needs. (See Appendix D for details regarding SSA\xe2\x80\x99s IT strategic\nplanning documents.)\n\n6\n SSA\xe2\x80\x99s nine portfolios are (1) Core Services, (2) Disability Process, (3) Hearings Process, (4) High\nPerforming Workforce, (5) Program Integrity, (6) Savings and Solvency, (7) SSA Infrastructure, (8) Social\nSecurity Number Process, and (9) Reimbursable Work. FY 2009-2010 Agency IT Plan, page 1.\n7\n Chairman of the Social Security Advisory Board --Testimony before the House Committee on Ways and\nMeans, Subcommittee on Social Security Oversight Hearing on the SSA\xe2\x80\x99s Provisions in the American\nRecovery and Reinvestment Act of 2009, April 28, 2009.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                         4\n\x0cFor example, in a prior OIG review, 8 we determined SSA\xe2\x80\x99s 2007 IRM Plan provided\nbalanced and comprehensive coverage of its IRM and activities, but some\nimprovements were needed.\n\nSpecifically, we reported SSA\xe2\x80\x99s IRM Plan needed to provide a better description of how\nthe Agency\xe2\x80\x99s IRM activities will help accomplish the Agency\xe2\x80\x99s mission, goals and\nobjectives. 9 The IRM Plan would also be more useful if it informed the reader of the\nAgency\xe2\x80\x99s present position and what it sees as its future IT architecture. Finally, the IRM\nPlan should be structured in a way to better support the Agency\xe2\x80\x99s Strategic Plan while\nproviding possible solutions to its future challenges and constraints.\n\nWe also determined SSA does not have a comprehensive plan to meet potential\nprocessing needs for the next 20 years. Specifically, we found SSA\xe2\x80\x99s IT strategic\nplanning documents are short-term, tactical plans that do not discuss the Agency\xe2\x80\x99s IT\nactivities beyond FY 2014. Although the Agency's IT strategic planning documents do\nnot span 20 years into the future, the Agency believes it is looking to the future. For\nexample, the lease for its secondary support center expires in 2029, which Agency\nmanagement reported it is already assessing.\n\nGiven that there is no specific guidance on the exact content and length of time for an\nAgency IT Strategic Plan, we reviewed the IRM Plans or IT Strategic Plans of 17 other\nFederal agencies to identify best practices regarding IT planning documents. Similar to\nSSA, we determined other Agencies\xe2\x80\x99 plans did not span 20 years into the future but\nwere limited to 6 years. (See Appendix B for a list of the Agencies and documents\nreviewed.)\n\nSSAB believes the Agency\xe2\x80\x99s prior strategic planning documents 10 published in 1988\nand 2000 outlined a long-range and comprehensive IT vision for the Agency, whereas\nSSA\xe2\x80\x99s current planning documents tend to be narrowly focused and emphasize short-\nrange problem solving. In previous strategic planning documents, changes in societal\nfactors and business services were assessed, emerging technologies were appraised,\nand strategic recommendations were developed for implementation over the following\n10 years. For example, in a 1988 Strategic Plan, the Agency envisioned that by the\n\n8\n SSA OIG, The Social Security Administration\xe2\x80\x99s Information Resources Management Strategic Plan,\nA-14-07-27133, September 2007.\n9\n  The Agency\xe2\x80\x99s IRM Plan is not strategic in the following two areas: (1) IRM activities and the underlying\nenterprise architecture (which is the explicit description and documentation of the current and desired\nrelationships among business and management processes and information technology) only span\n2 years into the future, even though the IRM Plan states that it covers FYs 2006 through 2012 and\n(2) The IRM Plan does not have a sufficient description about how the Agency plans to address its\nbiggest challenge: an increased workload due to disabled and retiring baby boomers.\n10\n  2000\xe2\x80\x94A Strategic Plan (published in January 1988) and Social Security 2010 Vision (published in\nAugust 2000).\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                              5\n\x0cyear 2000, service delivery would include automated enrollment for retirement benefits,\nthe use of expert systems to support employee decisionmaking, and innovative self-\nservice options using automated teller machine-like technology. Further, in 2000, SSA\npublished a 2010 Vision, which discussed a full range of Internet services,\nvideoconferencing, real-time language translation capability and enhanced telephone\nservices.\n\nSSAB further stated that SSA needs to return to long-range planning that envisions how\nthe Agency will deliver service and what the supporting infrastructure must be to make\nthis plan a reality. SSAB urged SSA to develop a 2020 vision stating, \xe2\x80\x9cThe process\nmust include a broad scan of environmental factors that will arise within the next\ndecade, a thorough assessment of future technologies, a comprehensive review of all\nmajor business processes, and in-depth analyses of service delivery channels and\nopportunities for change or improvement.\xe2\x80\x9d SSAB believes short-term planning and\nimplementation strategies are not sufficient for the type of technological changes SSA\nwill need to make to meet future challenges.\n\nWe agree with SSAB that the Agency\xe2\x80\x99s prior planning documents outlined a long-range\nIT vision and were more strategic, whereas SSA\xe2\x80\x99s current planning documents are\nshort-term, tactical plans. Our review of prior SSA strategic planning documents found\nSSA's current plans tend to focus more on solutions to existing problems, such as\naddressing the Agency's outdated telephone infrastructure, aging Data Center and IT\ninfrastructure and addressing the hearing backlog. In contrast, the prior plans identified\nkey trends and predictions to plan for the Agency's future processing needs.\nAdditionally, the current plans do not always define the expected outcomes related to\nthe various IT initiatives in terms of cost or time savings. Further, the prior plans\nspanned 10 or more years into the future, whereas the current plans only span up\nto 7 years into the future.\n\nDISASTER RECOVERY\n\nAll agencies are required to have continuity of operations and disaster recovery plans to\nensure mission-essential functions are available under all conditions. 11 A system\noutage resulting from a disaster at the NCC would effectively shut down operations\nacross the organization, including State disability determination services.\n\nWe found the Agency has a disaster recovery plan 12 should a man-made or natural\nevent affect the NCC to such an extent that normal production and computing services\n\n11\n  Department of Homeland Security, FEMA [Federal Emergency Management Agency] National\nContinuity Programs, Federal Continuity Directive 1, Federal Executive Branch National Continuity\nProgram and Requirements, February 2008, Section 6. This policy states in part, that \xe2\x80\x9cAll agencies,\nregardless of their size or location, shall have in place a viable continuity capability to ensure continued\nperformance of their agency\xe2\x80\x99s essential functions under all conditions.\xe2\x80\x9d\n12\n The Social Security Administration\xe2\x80\x99s Disaster Recovery Plan for Computer Operations at the National\nComputer Center, February 19, 2009.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                                6\n\x0ccan no longer function in the site. Restoration and recovery plans have been developed\nto ensure the most critical services are resumed and remain functional. However, the\nAgency\xe2\x80\x99s plan depends heavily on the availability of a contracted, off-site data\nprocessing facility.\n\nBased on disaster recovery testing performed over the past several years, it will take\nabout 10 days 13 to recover the systems that support SSA\xe2\x80\x99s essential functions (see\nAppendix E for details regarding SSA\xe2\x80\x99s primary mission essential functions, mission-\nessential functions, and supporting activities). Therefore, SSA\xe2\x80\x99s ability to process\ncritical workloads 14 in the first 10 days after a disaster at the NCC would be reduced to\nmanual intakes (paper documents) with no automated processing. Even after the\nsystems are established at the contracted facility, only 34 percent of SSA\xe2\x80\x99s systems\nprocessing capacity would be available.\n\nAs part of the Agency\xe2\x80\x99s Information Technology Operations Assurance initiative, SSA is\nestablishing a secondary site, the Durham Support Center (DSC), to process a portion\nof SSA\xe2\x80\x99s workloads and mitigate the risks associated with NCC downtime. Each center\nwill back up the data assets of the other. The Agency\xe2\x80\x99s goal is by 2013, the critical\nworkloads of one can be assumed by the other within 24 hours.\n\nAccording to congressional testimony by SSA management in April 2009, 15 within\napproximately 6 months, the Agency expects to be able to process about half its\nproduction workloads at the DSC, providing the necessary backup to the NCC.\nAdditionally, by 2013, the DSC will be able to provide full backup and recovery for the\nAgency\xe2\x80\x99s data and daily processing needs. We are assessing SSA\xe2\x80\x99s disaster recovery\nprocess 16 and DSC. 17\n\n\n\n\n13\n This time frame reflects the recovery time in the event of a localized disaster that affects the NCC.\nHowever, this time frame could be longer if there is a regional or global catastrophe.\n14\n   The Agency stated the \xe2\x80\x9c\xe2\x80\xa6\xe2\x80\x98core business processes,\xe2\x80\x99 \xe2\x80\x99critical production\xe2\x80\x99 and \xe2\x80\x99critical workloads\xe2\x80\x99 are\noften used generally and interchangeably around the Agency. These terms are common and must be\nconsidered in the context of their use. The actual, detailed components of all of these \xe2\x80\x98c\xe2\x80\x99-workloads can\nchange as new/enhanced/repaired SSA applications, systems and hardware are introduced into the IT\narchitecture. These workloads allow us to pay people, exchange data, communicate and manage\nrecords (which includes issuing SSNs).\xe2\x80\x9d\n15\n  Deputy Commissioner for Budget, Finance and Management---Testimony before the House Committee\non Ways and Means, Subcommittee on Social Security Oversight, Hearing on SSA\xe2\x80\x99s Provisions in the\nAmerican Recovery and Reinvestment Act of 2009, April 28, 2009.\n16\n  SSA OIG, Quick Response Evaluation: The Social Security Administration\xe2\x80\x99s Disaster Recovery\nProcess (A-14-09-29139), June 2009.\n17\n  SSA OIG, Processing Capacity of the Social Security Administration\xe2\x80\x99s Durham Support Center\n(A-14-09-19100).\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                             7\n\x0cQuestion 2\n\nHas the Agency obtained information on industry best practices of other data\ninfrastructure systems of similar scope in terms of design, geographic location\nand redundancy, and has this information guided their decisions for information\nsystems planning?\n\nSSA officials stated they obtained best practices regarding data infrastructure systems\nthrough consultation with IT research firms, such as Gartner, Inc., Info-Tech Research\nGroup, Corporate Executive Board, and Forrester Research, Inc. 18 SSA consulted with\nthese firms regarding such topics as Data Center outsourcing; Data Center staffing;\nmanagement characteristics of effective Data Centers; next generation Data Center\ndesign; predicted infrastructure usage and upcoming technology; and infrastructure\noptimization.\n\nIn 2008, SSA conducted an informal survey of 13 Federal agencies to investigate what\nthe best practices were for Data Center management and operations. Nine agencies\nresponded. 19 Per SSA, the respondents indicated they operated Data Centers with\nredundancy, 20 failover, 21 and hot sites. 22 Seven of the nine respondents operated two\nor three Data Centers. The remaining two agencies only operated one Data Center.\n\nSSA management stated the Agency does not follow any specific industry best practice\ndocuments. The Agency\xe2\x80\x99s IT planning is based on experience and the best information\navailable at the time. For example, the Agency reported it reviewed LM\xe2\x80\x99s April 2004\nFinal Disaster Recovery Business Impact Analysis Report, to formulate plans for the\nDSC and LM\xe2\x80\x99s February 2008 Final Feasibility Study to develop plans for the new Data\nCenter.\n\n\n18\n  Gartner, Inc., is an IT research and advisory company. Info-Tech Research Group provides its\nmembers with IT research, tools and advice. Corporate Executive Board is a source of best practice\nresearch, decision-support tools, and executive education for corporations and not-for-profit institutions.\nForrester Research, Inc. is a technology and market research company that provides advice to global\nleaders in business and technology.\n19\n  The nine respondents were the (1) Centers for Disease Control, (2) Centers for Medicare and Medicaid\nServices, (3) Financial Management Service, (4) Food and Drug Administration, (5) Environmental\nProtection Agency, (6) Health Resources and Services Administration, (7) Indian Health Service,\n(8) Internal Revenue Service, and (9) Department of the Treasury Headquarters.\n\n20\n  Redundancy is the duplication of a system or equipment that functions if an operating component or\nsystem fails.\n21\n  Failover is the capability to switch over automatically to a redundant or standby computer server,\nsystem, or network if the previously active server system or network fails or terminates.\n22\n  A hot site is an alternate facility that has in place the computer, telecommunications, other IT,\nenvironmental infrastructure and personnel required to recover critical business functions or information\nsystems.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                               8\n\x0cAlthough SSA management stated it uses the best available information when IT\ndecisions are made, to date, we have been unable to obtain detailed cost estimates for\nall viable alternatives identified by LM in its NCC Feasibility Study. Further, we have\nsolicited for a contractor to evaluate SSA\xe2\x80\x99s process for selecting the replacement\nstrategy for the NCC, including the cost estimates for the various alternatives and the\nuse of industry best practices. Furthermore, the contractor will evaluate SSA\xe2\x80\x99s\ndecisionmaking process to ensure the selected replacement strategy is cost-effective,\nefficient, and provides reasonable assurance SSA will have a Data Center that is in the\nright location, with the right capacity, and operational within the needed time frame.\nGiven the time frame of the procurement process, our ability to fully respond to this\ninquiry was limited. Once we receive the contractor\xe2\x80\x99s final analysis, we plan to issue a\nseparate report to fully address the Committee\xe2\x80\x99s inquiry.\n\nQuestion 3\n\nWhat steps is the Agency taking to prevent the current situation that plagues\nSSA\xe2\x80\x99s National Computer Center from recurring?\n\nSSA has taken the following steps to prevent the current situation that plagues the NCC\nfrom recurring.\n\na. SSA initiated or completed projects recommended by LM to sustain existing\n   operations at the NCC (see Appendix F for a status update of SSA\xe2\x80\x99s corrective\n   actions to address LM\xe2\x80\x99s recommendations). Nonetheless, we believe the Agency\n   should have taken action sooner because SSA and the General Services\n   Administration (GSA) knew about some of the recurring issues at the NCC and\n   Utility Building since 1989 (see Appendix G for the recurring issues). Further, we\n   believe the criticality of the building should be given a greater weight than the age of\n   the building in determining whether a building is selected for renovation. SSA\n   officials stated, \xe2\x80\x9cWe disagree; we took action and funded significant projects to\n   sustain the building.\xe2\x80\x9d\nb. SSA reported the new NCC is being designed in accordance with the Uptime\n   Institute\xe2\x80\x99s Tier III Data Center standards. These standards provide redundancy to\n   mechanical and electrical infrastructure systems. Tier III facilities have redundant\n   capacity that allows for any planned site infrastructure maintenance and activities\n   without disrupting the computer hardware operation. 23 (See Appendix H for the\n   Uptime Institute\xe2\x80\x99s Tier Standards). The new Data Center will be designed to meet\n\n\n23\n  Planned activities include preventive and programmable maintenance, repair and replacement of\ncomponents, addition or removal of capacity components, testing of components and systems, and more.\nFor large sites using chilled water, this means two independent sets of pipes. Sufficient capacity and\ndistribution must be available to simultaneously carry the load on one path while performing maintenance\nor testing on the other path. Unplanned activities, such as errors in operation or spontaneous failures of\nfacility infrastructure components, will still cause a Data Center disruption.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                          9\n\x0c       the Agency\xe2\x80\x99s known infrastructure capacity needs based on anticipated trends and\n       with the redundancy and flexibility for future modification and expansion without\n       disruption to operations.\nc. SSA will continue to perform preventive maintenance activities at the NCC.\n\nIn another OIG report, we noted that although the NCC concerns were not specifically\nconsidered as part of the DSC planning process, the DSC was designed to minimize the\nlikelihood that the physical concerns identified at the NCC will be repeated. 24 SSA\nshould use a similar approach to prevent the new Data Center from encountering similar\nproblems that occurred at the NCC over time.\n\nNCC AND UTILITY BUILDING\n\nThe NCC was built in 1979 and occupied in May 1980. Since 1985, a number of\nreviews have been completed for the NCC and its Utility Building. These reviews\nidentified recurring issues (see Appendix B for a list of the reports). Chart 1\nsummarizes the significant recurring issues these reviews identified (see Appendix G).\n\n         Chart 1: Significant Recurring Issues at the NCC and its Utility Building\n        Significant Issues                                   Calendar Year\n     Identified at the NCC and\n          Utility Building       1989      1994       1998      2001       2007       2008        2009\n Roof                             X         X                    X          X           X\n Lightning Protection Grid                                                  X          X\n Heating Ventilation and Air\n Conditioning (HVAC)\n System                            X         X                    X          X          X          X\n Federal Pacific Electric\n (FPE) Panels (Riser\n Project)                                    X                               X          X          X\n Uninterruptible Power\n                25\n Supply (UPS)                                                     X                     X          X\n Fire Protection                             X                    X          X          X          X\n Facility Storage                                                 X          X          X\n Plumbing                          X         X                               X          X           X\n\n\n\n\n24\n  SSA OIG, Processing Capacity of the Social Security Administration\xe2\x80\x99s Durham Support Center\n(A-14-09-19100).\n25\n  A UPS, also known as a battery back-up system, provides emergency power to connected equipment\nby supplying power from a separate source when utility power is not available. The UPS consists of three\nparts: (1) a battery system that supplies power in the event of a power outage, (2) equipment that\nregulates and converts the power, and (3) a notification/control system that monitors the condition of the\nsystem and produces alerts when conditions are not \xe2\x80\x9cnormal.\xe2\x80\x9d\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                          10\n\x0cAs part of our prior 26 and current reviews, we determined the Agency has planned, or\ntaken some action to address, many of these issues. For example, SSA reported the\nmain NCC roof was installed in 1994, and the Utility Building roof was replaced in 2007.\nIn March 2009, a contract was awarded to replace the NCC warehouse roof. The\nlightning protection system will be addressed as part of the NCC warehouse roof\nreplacement project.\n\nAgency representatives stated the HVAC equipment has been well-maintained and\nupgraded over the years. For example, the Agency reported it made chiller plant\nrenovations in 1998 and air handler upgrades in 2003. SSA reported it had budget\nrequests for air handler unit repairs in 2007 and cooling and water pumps in 2008. 27 In\naddition, the Agency is regularly maintaining HVAC equipment, including air handler\nunits throughout the NCC.\n\nThe Agency reported in the early 1990s that additional circuit breakers had been\ninstalled in FPE breaker panels because additional electrical capacity was needed for\nNCC equipment. Agency staff acknowledged the breakers were not installed in\ncompliance with the National Electric Code. However, the ongoing Riser Project is\nexpected to resolve this issue. The Agency reported it sent GSA $9.7 million in\nFY 2005 in a Reimbursable Work Authorization 28 for the riser panel replacement\nproject. However, the technical requirements involved in designing and planning the\nProject to meet the Agency\xe2\x80\x99s needs were extensive. As a result, the completion of the\ndesign phase was time-consuming. SSA officials stated the contract was awarded in\nMay 2009.\n\nIn 1999, a UPS hot tie 29 installation provided redundancy for power requirements on the\ncritical loads. In April 2009, a contract was awarded to purchase UPS replacement\nparts, which will be used to support an extension of the UPS maintenance contract\nthrough Fiscal Year (FY) 2015.\n\nAlthough the Agency plans to defer installation of a fire suppression system, it reported\nthere have been several budget requests in this area. Specifically, requests for a Utility\nBuilding fire protection project in 2005, a high sensitivity smoke alarm in 2006, a fire\n\n\n\n26\n  SSA OIG, Quick Response Evaluation: The Social Security Administration\xe2\x80\x99s Ability to Address Future\nProcessing Requirements (A-44-09-19098), March 2009.\n27\n  Although the Agency provided budget information, we did not verify whether these projects had been\ncompleted.\n28\n  A reimbursable work authorization, GSA Form 2957, is used by SSA to obligate funds for services from\nGSA. According to SSA, the RWA for the riser project does not expire until September 30, 2010. The\nproject is scheduled to be completed before the funding expiration date.\n29\n     A system that transfers the electrical load of one substation to another without an outage.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                        11\n\x0cprotection upgrade in 2007, and a fire alarm modification in 2008. 30 Additionally, we\nconfirmed SSA installed an FM200 31 in the tape storage silos in the NCC.\n\nFurther, the Agency reported plumbing is being managed under its normal maintenance\nprogram. SSA reported there have been several budget requests for plumbing-related\nitems. For example, a request to upgrade the cathodic 32 in 2004 and replace piping in\n2006. 33\n\nBuilding Renovation and Construction Projects\n\nDuring our review, we evaluated the Agency\xe2\x80\x99s long-range strategic planning for\nrenovating the NCC and other buildings on SSA\xe2\x80\x99s Headquarters\xe2\x80\x99 campus. The Agency\nreported it discusses long-range renovation planning for SSA headquarters\napproximately every 5 years with GSA. In 2007, GSA and SSA representatives\ndiscussed renovations of the Altmeyer, West High and Low Rise, and the NCC\nbuildings. According to SSA officials, the GSA Federal Building Fund lacked adequate\nfunding; therefore, these buildings were not scheduled for renovation. Further, Agency\nrepresentatives stated the NCC is one of the newer buildings on SSA\xe2\x80\x99s campus.\nTypically, building renovation schedules are related to the facility\xe2\x80\x99s age and condition.\nConsequently, the Operations and Annex buildings were renovated before the NCC\n(see Chart 2 below). However, as SSA realized that technology advancement was\nbeing rapidly introduced and required diversely different facility infrastructure system\ndesigns than in the NCC, the Agency commissioned the LM study in 2007 and\nresponded to the findings in their 2008 report by moving the NCC ahead of the\nremaining three older buildings on campus yet to be renovated.\n\nWe believe that because the NCC is critical to SSA\xe2\x80\x99s continuity of operations and\nmission, resources should have been committed to renovating and/or replacing the\nNCC before other buildings. The chart below summarizes the renovation schedule for\nthe buildings on SSA\xe2\x80\x99s Headquarters\xe2\x80\x99 campus.\n\n\n\n\n30\n     See Footnote 26 on page 10.\n31\n  An FM200 is a gas-type fire suppression system. It is a fast-acting, waterless fire suppression system\nused to protect critical assets.\n\n32\n  Cathodic protection is a method for preventing or controlling the corrosion of metal surfaces that are in\ncontact with water.\n33\n     See Footnote 26.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                          12\n\x0c                             Chart 2: Building Renovation Schedule\n            Building                      Year Built              Date of Last Renovation\n Altmeyer                                   1960          Not Renovated\n Operations                                 1960          Phase 1, 2001-2005; Phase 2, 2006-2007\n Annex                                      1965          2000-2002\n East High/Low Rise                         1971          1996-1999\n Supply                                     1971          Not Renovated\n West High/Low Rise                         1973          Not Renovated\n NCC & Utility 34                           1980          Not Renovated\n\nWe requested information for the Operations, Annex and East High/Low Rise Building\nrenovation projects. 35 The Agency referred us to GSA. To date, we have not received\nall the information regarding the actual and planned costs and schedule for these\nBuildings.\n\nSSA\xe2\x80\x99S ACTIONS TO ADDRESS CURRENT AND FUTURE INFRASTRUCTURE AND\nCAPACITY ISSUES\n\nLM NCC Feasibility Study\n\nLM recommended 17 projects that should be undertaken at SSA\xe2\x80\x99s NCC and Utility\nBuilding to sustain existing IT operations through the end of Calendar Year 2014. Of\nthe 17, LM recommended 3 projects the Agency should defer because of the NCC\xe2\x80\x99s\nanticipated change in functional role.\n\nAgency representatives explained it had initiated or implemented the feasible projects\nrecommended by LM. The Agency representatives believe these projects will provide a\npositive return on investment to the Government. This includes the most significant\nrecommended projects of replacing the NCC feeder cables, 36 scheduling the planned\noutages for the riser panel replacement project, and securing the commitment of a\nmaintenance contract for the UPS system through 2015. Also, SSA plans to continue\nperforming preventive maintenance activities at the NCC. See Appendix F for a status\nupdate of SSA\xe2\x80\x99s corrective actions to address LM\xe2\x80\x99s recommendations.\n\n\n\n\n34\n  Although a complete renovation of the NCC and Utility building has not yet occurred, SSA reported it\nhas completed various projects, such as generator replacement, air handler upgrades, feeder cable\nreplacement, etc.\n35\n  We requested information regarding (1) GSA and SSA\xe2\x80\x99s roles in the renovation project, (2) the planned\nand actual total renovation costs, and (3) the planned and actual renovation schedule.\n36\n     Feeder cables are used to supply power to the NCC and Utility Building.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                          13\n\x0cSSA\xe2\x80\x99s Building of a New Data Center\n\nIn 1983, SSA had a pre-feasibility plan developed by AEPA Architects Engineers, P.C. 37\nThe study determined it was feasible (1) for SSA to construct a multipurpose office\nbuilding, training center, records center and warehouse, or any combination thereof, at\nthe SSA main campus site and (2) to expand the existing NCC and supply building.\n\nThe study indicated the NCC was designed to be expanded vertically by 2 floors to\nincrease the building\xe2\x80\x99s size by 180,000 gross square feet. It was anticipated that the\nNCC would need to be expanded because of the Agency\xe2\x80\x99s anticipated growth in\nactivities, changes in SSA\xe2\x80\x99s mission, growth in population, program changes and new\nlegislation. The total estimated cost of the computer center expansion at that time was\n$18 million.\n\nIn 2008, based on the LM NCC Feasibility Study, SSA officials decided to construct a\nnew Data Center 38 apart from the Agency\xe2\x80\x99s Woodlawn, Maryland, campus to replace\nthe NCC. Agency officials stated the current NCC is approximately 30 years old and\nwas constructed based on the best practices at that time. SSA stated the planned Data\nCenter is based on today's best practices. The new Data Center will be designed to\nmeet all the Agency\xe2\x80\x99s known infrastructure and capacity needs (including bandwidth\nand data storage) based on anticipated trends and with the flexibility for future\nmodification and expansion without disruption to operations.\n\nFurther, the Agency reported the new Data Center will be built in accordance with the\nUptime Institute\xe2\x80\x99s Tier III Data Center standards. These standards provide redundancy\nto mechanical and electrical infrastructure systems. Tier III facilities have redundant\ncapacity that allows for any planned site infrastructure maintenance and activities\nwithout disrupting the computer hardware operation. 39 Therefore, the Agency believes\nit will avoid many of the issues in the current NCC, which was built before such\nstandards existed.\n\nWe reviewed reports issued by Gartner from 2007 to 2009 related to Data Centers,\nstrategic planning and IT. Based on a February 2009 report, 40 polling was conducted at\na December 2008 Gartner Data Center Conference to gain insight into the attendees'\n37\n     Pre-Feasibility Macroplan Colonial Park, December 1983.\n38\n Although the new Data Center is commonly referred to as the National Support Center, as of\nMarch 2009, the Data Center had not yet been officially named by the Commissioner.\n39\n   Planned activities include preventive and programmable maintenance, repair and replacement of\ncomponents, addition or removal of capacity components, and testing of components and systems. For\nlarge sites using chilled water, this means two independent sets of pipes. Sufficient capacity and\ndistribution must be available to simultaneously carry the load on one path while performing maintenance\nor testing on the other path. Unplanned activities, such as errors in operation or spontaneous failures of\nfacility infrastructure components, will still cause a Data Center disruption.\n40\n     Power and Cooling Remain the Top Data Center Infrastructure Issues, February 20, 2009.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                         14\n\x0cmost pressing issues and strategic plans. Approximately 96 percent of the respondents\nindicated they are planning a Data Center project involving renovation, upgrade,\nexpansion, relocation or outsource in at least one of their Data Centers during the next\n2 years. Gartner found from 2006 to 2008, the most popular action had changed from\nrelocation to a new leased or owned facility (30 percent) to an expansion/upgrade\n(42 percent). Gartner reported that part of this shift can be attributed to the economy\nand management's belief that it is less expensive to renovate or upgrade than to move\nto a new facility. This is despite the fact that it is difficult and disruptive to upgrade a\nData Center.\n\nSSA estimates it will cost approximately $750 million 41 for the facilities 42 and equipment\nfor the new Data Center. The Agency anticipates the new Data Center to be\nsubstantially completed by October 2013. Further, it expects to occupy the new Data\nCenter in January 2014. However, this date is before installation of any IT equipment.\nA November 2008 Gartner report 43 showed the average cost of building an\n8,000-square foot Tier III Data Center was approximately $20.51 million ($2,564 per\nsquare foot). 44 The Agency plans to build a 247,000-gross square foot Data Center.\nUsing the Gartner report as a baseline, the new Data Center would cost approximately\n$633.4 million. We recognize that the Gartner report may not be directly comparable to\nthe Agency\xe2\x80\x99s current cost data for its new Data Center. Nevertheless, without\nindependently verifiable detailed cost estimates for the new Data Center, the Agency\xe2\x80\x99s\nestimates remain problematic. SSA officials stated, \xe2\x80\x9cWe disagree; we base our\nestimate along with the GSA\xe2\x80\x99s estimate on the recommended program elements of the\nEYP study.\xe2\x80\x9d 45 Further, SSA officials stated, \xe2\x80\x9cThe 247,000 gross square footage\nincludes non-computer space. If you apply the Gartner estimate only to computer\nspace in the new Data Center then the numbers would be in alignment.\xe2\x80\x9d\n\n41\n  Based on estimates of SSA\xe2\x80\x99s spending for the construction of the new Data Center, funds will be\nreleased in FY 2010 for research and studies to procure the land, funds will be released in FY 2011 to\ndesign and construct the facility, and funds are being reserved for FY 2012 to purchase IT services and IT\nstart-up equipment. Additionally, GSA and SSA are discussing the possibility of using funds to acquire IT\nconsultant assistance for the planning process and to accelerate the schedule for site related services in\nFY 2009. On April 1, 2009, GSA awarded a contract to Jacobs, a construction management firm that is\nresponsible for preparing the detailed Program of Requirements (scope of work) with GSA and SSA\nproject team members.\n\n42\n  This estimate is for an approximately 309,000 gross square foot facility that consists of a 247,000-gross\nsquare foot Data Center, 53,000-gross square foot office building and 9,200-gross square foot\nwarehouse.\n43\n     Data Center Availability: Tier Design Costs and Benefits Can Vary Greatly, November 12, 2008.\n44\n     This includes the estimated costs of construction and does not include ongoing operational costs.\n\n45\n  Feasibility Study for the Social Security Administration National Services Center Data Center Facility,\nJanuary 16, 2009. The following agencies and firms participated in the GSA study: (1) SSA, (2) GSA\nRegion 3, (3) Oudens Knoop Knoop + Sachs Architects (Architect), (4) HP Critical Facilities Services,\ndelivered by EYP MCF (Data Center Expert), and (5) Project Management Services Incorporated (Cost\nConsultant).\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                             15\n\x0c Further, based on SSA\xe2\x80\x99s prior large construction and renovation projects and Gartner\xe2\x80\x99s\n November 2008 report, we believe it is unlikely the current estimated schedule and\n costs related to the new Data Center will be met. SSA needs to reconcile these\n numbers and explain why there is a discrepancy.\n\n                     Chart 3: Building Renovation/Construction Schedule\n                                            Renovation Projects\n                                  Total Costs                            Completion Date\n      Building\n                   Planned         Actual      Difference      Planned         Actual    Difference\n             46\nOperations        $166 million     unknown      unknown     February 2007 September 2007 8 months\nAnnex 47           $60 million     unknown      unknown        unknown     January 2002  unknown\nEast High/Low\nRise Buildings     unknown        unknown         unknown       unknown          unknown         unknown\n                                             Construction Project\nDSC               $14 million    $44.26 million $30.26 million  May 2008       January 2009      8 months\n\n Although the Agency has decided to construct a new Data Center off campus, we are\n unable to determine whether this is the best use of taxpayer dollars because we have\n not been provided detailed cost estimates for all alternatives for replacing the NCC and\n its Utility Building. We have solicited for a contractor to evaluate SSA\xe2\x80\x99s process for\n selecting the replacement strategy for the NCC, including the cost estimates for the\n various alternatives and the use of industry best practices. Furthermore, the contractor\n will evaluate SSA\xe2\x80\x99s decisionmaking process to ensure the selected replacement\n strategy is cost-effective and efficient, and provides reasonable assurance that SSA will\n have a Data Center that is in the right location, with the right capacity, and operational\n within the needed timeframe.\n\n SSAB strongly urged SSA to undertake a self-assessment that would identify the\n underlying factors that allowed the current NCC situation to occur. We believe SSA\n should identify the underlying factors and implement the necessary controls to prevent\n this situation from recurring. Despite the corrective actions planned or taken by the\n Agency at the NCC in response to the 2008 LM study and the repairs and upgrades\n over the past 15 years, we believe the Agency should have taken action much sooner\n regarding many of the issues at the NCC.\n\n\n\n 46\n   According to GSA, the $166 million budgeted costs included the design, construction, management and\n inspection costs related to the project. Additionally, the total planned costs represent both GSA and SSA\n funding. The total actual costs were not provided during our review because, per GSA, the contracts\n were not yet closed.\n 47\n    According to GSA, the $60 million budgeted costs included the design, construction, management and\n inspection costs related to the project. Further, the January 2002 actual completion date represents the\n ending date for construction only. As of May 2009, we had not obtained the actual total renovation costs\n or planned renovation schedule. GSA representatives indicated it would take some time to gather this\n information.\n\n\n\n SSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                       16\n\x0cQuestion 4\n\nDetermine the process and criteria being used by SSA to identify a new location\nfor the NCC and the risks and benefits of that process and criteria.\n\nIn 2007, SSA commissioned the LM NCC Feasibility Study to identify infrastructure and\ndata processing capacity issues. In 2008, LM completed its study and recommended\n17 projects that SSA should undertake to sustain existing IT operations through the end\nof Calendar Year 2014. In addition, LM recommended SSA construct a new Data\nCenter with utility infrastructure away from SSA\xe2\x80\x99s main campus. 48\n\nBased on LM\xe2\x80\x99s recommendation, SSA decided to build a new Data Center off campus.\nThe American Recovery and Reinvestment Act of 2009 (ARRA) provided SSA\n$500 million to replace the NCC. 49 As required by ARRA guidance, 50 SSA developed a\nProgram Specific Plan for the new Data Center. 51 Nonetheless, the Agency is still in\nthe preliminary stages of the NCC replacement project. The Agency stated the final\ncriteria for selecting the site of the new Data Center is being developed. However,\nwhen attempting to secure funds for the NCC replacement project, the Agency provided\ninformation to the presidential transition team and others regarding the location for the\nnew Data Center. The Agency stated the location for the new Data Center must meet\nthe following minimum requirements.\n\n\xef\x82\xb7    The location must be within 40 miles from SSA Headquarters in Woodlawn,\n     Maryland.\n\xef\x82\xb7    The location must be in a low-risk area for earthquakes, hurricanes and tornados.\n\xef\x82\xb7    The location must be in an area not subject to continuing, severe climatic conditions.\n\xef\x82\xb7    The location must be at or close to electrical utility services that provide at least two\n     separately fed utility substations for power.\n\n\n\n48\n The preferred alternative identified in the LM Feasibility Study was to build/lease a new NCC Data\nCenter with Utility Infrastructure off campus.\n49\n  H.R.1, American Recovery and Reinvestment Act of 2009 Division A \xe2\x80\x93 Appropriations Provisions, Title\nVIII\xe2\x80\x94Departments of Labor, Health and Human Services, and Education, and Related Agencies. Social\nSecurity Administration Limitation on Administrative Expenses (including transfer of funds), H.R.1-71.\n50\n  OMB, M-09-15, Updated Implementing Guidance for the American Recovery and Reinvestment Act of\n2009, Pub. L. No. 111-5, April 3, 2009.\n51\n  The program-specific plan provides such information as preliminary estimates of SSA\xe2\x80\x99s spending\ntoward the construction of the new Data Center, a schedule of the major phases of the project\n(procurement, planning, project execution phases, etc.), and a description of the Agency\xe2\x80\x99s monitoring\nprocess.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                         17\n\x0c\xef\x82\xb7     The location must be at or close to Points of Presence 52 for all three major carriers\n      on GSA\xe2\x80\x99s Networx Universal Contract. 53\n\xef\x82\xb7     For ease of access during local or national emergencies, locations in close\n      geographic proximity to SSA Headquarters would be given priority. For more distant\n      locations, low traffic congestion will be an important consideration to facilitate\n      movement of staff and data in and out of the facility.\n\nIn addition to the minimum requirements, the Agency reported it developed technical\nconsiderations for the placement of the NCC. The primary location factor is linked to\nthe risks and costs associated with a transition to a site outside International Business\nMachine's (IBM) Geographically Dispersed Parallel Sysplex (GDPS) technology. 54\nFurther, SSA identified key issues the Agency is considering when identifying the\nlocation of the new Data Center, such as minimizing the costs of moving equipment,\nrelocation and/or travel of staff as well as connectivity after the Data Center moves.\n\nSSA reported GSA is not soliciting for sites at this time. Further information is\nprocurement sensitive and cannot be released publicly until GSA issues the formal\nsolicitation. There is no legal requirement that GSA obtain competition in selecting sites\nfor public buildings. It has not yet been determined whether public advertisement will be\nposted for this project. The Agency estimates site selection for the new Data Center will\ntake place in the 2nd quarter of FY 2010.\n\nThe Agency reported the selection and acquisition of sites for the new Data Center will\nbe performed pursuant to the provisions of 40 U.S.C. 3304 (formerly Section 5 of the\nPublic Buildings Act of 1959, 40 U.S.C. 604), the National Environmental Policies Act of\n1969, 55 and the Uniform Relocation Assistance and Real Property Acquisition Policies\nAct of 1970. 56 Further, SSA reported GSA maintains several in-house resources for\nbest practices and will consult with, and use, the Uptime Institute guidelines for Tier III\nData Centers (see Appendix H), and use contracted resources to identify project-\nspecific criteria and assist in the site evaluation process.\n\n52\n   This refers to the physical locations where SSA\xe2\x80\x99s network in the new Data Center can connect to the\nhigh-speed network of communication providers. Depending on the provider and terms of work, SSA\nmay be expected to fund the construction work (for example, roadway trenching, cable deployment, etc.)\nto connect to the provider network.\n\n53\n  GSA\xe2\x80\x99s Universal Networx Contract consists of the following three carriers: (1) AT&T Corporation,\n(2) MCI Communications Services, Inc., doing business as Verizon Business Services, and (3) Qwest\nGovernment Services, Inc.\n54\n   GDPS is an IBM technology for keeping information technology in sync. The Agency reported, at this\ntime, GDPS offers the shortest and safest approach to the transition but comes with a distance limit of\nabout 30 to 60 miles.\n55\n     Pub. L. No. 91-190, 42 U.S.C. \xc2\xa7 4321 et seq.\n56\n     42 U.S.C. \xc2\xa7\xc2\xa7 4601 - 4655.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                       18\n\x0cGiven the distance limitation of the GDPS technology, we requested information\nregarding (1) other tools or IT the Agency could use to expand the location radius of the\nnew Data Center and (2) the Agency\xe2\x80\x99s ability to move workloads from the NCC to the\nDSC, which is located over 300 miles away from SSA Headquarters. The Agency\nstated, \xe2\x80\x9cSSA has not conducted market research or solicited for information for such\ntools for this specific intent. Risk mitigation throughout the move\xe2\x80\x945 years from now\xe2\x80\x94is\nkey to the location of the new Data Center. Given the pace of plans to locate and build\nthe facility there is little time to canvas the market and pilot tools which may or may not\nexist by 2014-2015.\xe2\x80\x9d Further, SSA stated, \xe2\x80\x9cGDPS was not used to move workloads to\nDurham. The workloads that have been and will be moved to Durham are discrete\nworkloads that, from their inception, were designed for access via an independent wide\narea network connection. The workloads remaining in the NCC that will relocate to the\nNSC [National Support Center], are tightly integrated, designed to run within the same\nprocessing complex with other companion workloads and designed for access via\nsynchronous, intra-computer interaction.\xe2\x80\x9d\n\nAdditionally, we have solicited for a contractor to evaluate SSA\xe2\x80\x99s process for selecting\nthe replacement strategy for the NCC, including the cost estimates for the various\nalternatives and the use of industry best practices. Furthermore, the contractor will\nevaluate SSA\xe2\x80\x99s decisionmaking process to ensure the selected replacement strategy is\ncost-effective and efficient and provides reasonable assurance that SSA will have a\nData Center that is in the right location, with the right capacity, and operational within\nthe needed time frame.\n\nGiven the time frame of the procurement process, we were limited in our ability to fully\nrespond to this inquiry. Once we receive the vendor\xe2\x80\x99s final analysis, we plan to issue a\nseparate report to fully address the Committee\xe2\x80\x99s inquiry.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                          19\n\x0c                                                                         Conclusions\nBecause SSA\xe2\x80\x99s IT systems are critical to meeting its mission and goals and that mission\nimpacts the lives of nearly all Americans, it is imperative that the Agency have a clear IT\nvision that anticipates its future needs. Further, SSA\xe2\x80\x99s current IT strategic plans are\nshort-term, tactical plans that do not provide a detailed description of how the Agency\nintends to address its IT processing needs 10 to 20 years into the future. We believe as\nSSA progresses in implementing solutions to address its IT processing requirements, it\nneeds to have a more strategic and integrated approach to its IT planning efforts.\n\nAlthough the Agency has decided to construct a new Data Center and Utility Building off\ncampus, we were unable to determine whether this is the best use of taxpayer dollars\nbecause we have not been provided detailed cost estimates for all alternatives for\nreplacing the NCC and its Utility Building. To date, we have received three reports\ncontaining cost-related data. 57 However, according to SSA, LM\xe2\x80\x99s estimates were very\npreliminary, and the focus of the LM study was to determine the condition of the facility\nand determine whether there was a need for a new Data Center. It was not intended to\nbe a cost estimate. SSA added that the GSA study was a follow-on to the LM study,\nand its purpose was to define square footage needs that were used for cost-estimation\npurposes in the Agency\xe2\x80\x99s budget. Further, SSA stated that the BAH Alternative\nAnalysis was not a construction cost estimate, was based on the GSA study cost\nestimates and only calculated life-cycle costs of the building for the sole purpose of\ndetermining the return on investment to the government. According to SSA, it is not a\nconstruction cost estimate.\n\nGAO published a guide on best practices for developing and managing capital program\ncost. 58 In its guide, GAO defines the basic characteristics for credible cost estimates\nand a reliable process for creating them. We have solicited for a contractor to evaluate\nSSA\xe2\x80\x99s process for selecting the replacement strategy for the NCC, including the cost\nestimates for the various alternatives and the use of industry best practices.\n\n\n\n\n57\n  (1) Lockheed Martin's Final Feasibility Study, February 8, 2008; (2) General Services Administration's\nFeasibility Study for the Social Security Administration National Services Center Data Center Facility,\nJanuary 16, 2009; and (3) Booz Allen Hamilton's SSA National Computer Center Alternatives Analysis,\nJanuary 29, 2009 (updated February 18, 2009).\n\n58\n  GAO Cost Estimating and Assessment Guide, Best Practices for Developing and Managing Capital\nProgram Costs, March 2009.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                        20\n\x0cAs reliance on electronic processing and technology grows and the Agency\xe2\x80\x99s workload\nincreases, so does the need to ensure SSA\xe2\x80\x99s IT infrastructure is designed to meet\nfuture needs. SSA needs to focus its efforts on (1) strengthening its IT strategic\nplanning process and related documents; (2) identifying ways to accelerate planning,\nconstructing and operating the new Data Center; (3) developing contingency plans for\naddressing its IT processing requirements and disaster recovery procedures in the\nevent the DSC and/or the new Data Center are not operational within the scheduled\ntime frames; (4) using industry best practices to aid in its IT strategic planning; and\n(5) establishing controls and a detailed strategy for timely maintenance, repairs,\nupgrades and replacement of critical IT infrastructure in the new Data Center to prevent\nthe current situation at the NCC from recurring.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                       21\n\x0c                                           Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Information Technology Planning Process Overview\nAPPENDIX D \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Information Technology Strategic\n             Planning Documents\nAPPENDIX E \xe2\x80\x93 Primary Mission Essential Functions, Mission Essential Functions and\n             Supporting Activities\nAPPENDIX F \xe2\x80\x93 Lockheed Martin Recommendations\nAPPENDIX G \xe2\x80\x93 Recurring Infrastructure Issues at the National Computer Center and its\n             Utility Building\nAPPENDIX H \xe2\x80\x93 Uptime Institute\xe2\x80\x99s Data Center Tier Classifications and Performance\n             Standards\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)\n\x0c                                                                        Appendix A\n\nAcronyms\n    ARRA               American Recovery and Reinvestment Act of 2009\n    BER                Building Engineering Report\n    COOP               Continuity of Operations\n    CPIC               Capital Planning and Investment Control\n    DCS                Deputy Commissioner for Systems\n    DSC                Durham Support Center\n    EA                 Enterprise Architecture\n    FPE                Federal Pacific Electric\n    FY                 Fiscal Year\n    GAO                Government Accountability Office\n    GDPS               Geographically Dispersed Parallel Sysplex\n    GSA                General Services Administration\n    HVAC               Heating, Ventilation and Air Conditioning\n    IBM                International Business Machine\n    IRM                Information Resources Management\n    IT                 Information Technology\n    ITAB               Information Technology Advisory Board\n    LM                 Lockheed Martin\n    MEF                Mission-Essential Function\n    NCC                National Computer Center\n    NRP                National Response Plan\n    OCIO               Office of the Chief Information Officer\n    OFM                Office of Facilities Management\n    OIG                Office of the Inspector General\n    OMB                Office of Management and Budget\n    PMEF               Primary Mission-Essential Function\n    PRA                Paperwork Reduction Act of 1995\n    Pub. L. No.        Public Law Number\n    SSA                Social Security Administration\n    SSAB               Social Security Advisory Board\n    SSN                Social Security Number\n    UPS                Uninterruptible Power Supply\n    U.S.C.             United States Code\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)\n\x0c                                                                   Appendix B\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xef\x82\xb7 Reviewed relevant Federal laws, regulations and guidance.\n\xef\x82\xb7 Reviewed prior Office of the Inspector General and Government Accountability Office\n  reports related to information technology (IT) planning.\n\xef\x82\xb7 Reviewed the Social Security Administration\xe2\x80\x99s (SSA) IT strategic planning\n  documents.\n\xef\x82\xb7 Obtained and reviewed documentation on industry best practices for Data Centers.\n\xef\x82\xb7 Reviewed Information Resources Management (IRM) and IT Strategic Plans of\n  17 other Federal agencies as follows.\n\n   \xef\x82\xb7 Department of Education IRM Strategic Plan, Fiscal Year (FY) 2007-2011,\n     February 28, 2006\n  \xef\x82\xb7 Department of Energy IRM Strategic Plan, FY 2008-2010\n  \xef\x82\xb7 Department of the Interior IT Strategic Plan, FY 2007-2012\n  \xef\x82\xb7 Department of Health and Human Services IRM Strategic Plan, 2007-2012,\n     February 27, 2007\n  \xef\x82\xb7 Department of Justice IT Strategic Plan, 2008-2013, February 28, 2008\n  \xef\x82\xb7 Department of Labor IT Strategic Plan FY 2005-2009, September 2005\n  \xef\x82\xb7 Department of State IT Strategic Plan, FY 2006-2010\n  \xef\x82\xb7 Department of Transportation IRM Strategic Plan, FY 2007-2012\n  \xef\x82\xb7 Farm Credit Administration IRM Plan, FY 2009-2014\n  \xef\x82\xb7 Federal Deposit Insurance Corporation IT Strategic Plan, 2008-2013\n  \xef\x82\xb7 Federal Reserve Board Division of IT Strategic Plan, FY 2007-2010, July 3, 2007\n  \xef\x82\xb7 General Services Administration (GSA) IT Strategic Plan, 2009-2011, August\n     2007\n  \xef\x82\xb7 Department of Agriculture, Green IT Strategic Plan, January 12, 2009\n  \xef\x82\xb7 Department of Defense Interim Information Assurance Strategic Plan, March\n     2008\n  \xef\x82\xb7 Department of Housing and Urban Development IT Strategic Plan, FY 2007-2012\n  \xef\x82\xb7 Department of Treasury IRM Plan, October 14, 2008\n  \xef\x82\xb7 National Aeronautics and Space Administration IRM Strategic Plan, September\n     2007\n\xef\x82\xb7 Reviewed documentation pertaining to SSA\xe2\x80\x99s new Data Center.\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                   B-1\n\x0c\xef\x82\xb7 Obtained and reviewed documentation to support the corrective actions planned or\n  taken by SSA to address the significant issues identified in Lockheed Martin\xe2\x80\x99s (LM)\n  National Computer Center (NCC) Feasibility Study.\n\xef\x82\xb7 Interviewed personnel from GSA and SSA\xe2\x80\x99s Offices of Facilities Management, Chief\n  Information Officer, Budget, and Systems.\n\xef\x82\xb7 Reviewed prior GSA and LM reports pertaining to the NCC and its Utility Building\n  including:\n\n    \xef\x82\xb7   GSA Engineering Survey of Second Floor\xe2\x80\x94\xe2\x80\x9cSpecial Use Area,\xe2\x80\x9d SSA Computer\n        Center Building, January 23, 1985;\n    \xef\x82\xb7   GSA Building Engineering Report, NCC Utility Building, September 12, 1989;\n    \xef\x82\xb7   GSA Building Engineering Report, National Computer and Utility Building,\n        September 14, 1994;\n    \xef\x82\xb7   GSA Building Energy Audit & Chiller Optimization Report, NCC, June 19, 1995;\n    \xef\x82\xb7   GSA Generator Study for NCC at Utility Building, November 20, 1998;\n    \xef\x82\xb7   GSA Upgrade of Heating, Ventilation and Air Conditioning System, NCC Study\n        Report, July 2001;\n    \xef\x82\xb7   GSA Building Engineering Report, Phase 1--Data Collection, SSA Woodlawn\n        Facility, July 9, 2001;\n    \xef\x82\xb7   GSA Building Engineering Report, September 20, 2007;\n    \xef\x82\xb7   LM Final Feasibility Study, February 8, 2008; and\n    \xef\x82\xb7   GSA Feasibility Study for the SSA National Services Center, Data Center\n        Facility, January 16, 2009.\n\nWe performed our review at SSA\xe2\x80\x99s Headquarters in Baltimore, Maryland, between\nFebruary and May 2009. The entities reviewed were the Offices of the Deputy\nCommissioner for Budget, Finance and Management; Deputy Commissioner for\nSystems; and Chief Information Officer. We conducted our review in accordance with\nthe President\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspections. 1\n\n\n\n\n1\n  In January 2009, the President\xe2\x80\x99s Council on Integrity and Efficiency was superseded by the Council of\nthe Inspectors General on Integrity and Efficiency, Inspector General Reform Act of 2008, Public Law\nNumber 110-409 \xc2\xa7 7, 5 United States Code App. 3 \xc2\xa7 11.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                       B-2\n\x0c                                                                  Appendix C\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)\n\x0c                                                                                   Appendix D\n\nThe Social Security Administration\xe2\x80\x99s Information\nTechnology Strategic Planning Documents\nThe Social Security Administration (SSA) has various information technology (IT)\nstrategic planning documents including a 2007 Information Resources Management\n(IRM) Strategic Plan, IT Vision 2009-2014, and Fiscal Year (FY) 2009-2010 Agency IT\nPlan.\n\n2007 IRM Strategic Plan\n\nAgencies must develop and maintain an IRM Plan, as required by the Paperwork\nReduction Act of 1995 (PRA). 1 According to the Office of Management and Budget\n(OMB), IRM Plans should support an agency\xe2\x80\x99s Strategic Plan. 2 OMB does not have\nguidance on the specific contents of an IRM Plan. However, an IRM Plan should be\nstrategic in nature and address the requirements of Federal IRM, as expressed in the\nPRA and OMB Circular A-130. 3\n\nSSA\xe2\x80\x99s 2007 IRM Plan covers a 7-year period from FYs 2006 though 2012. The Agency\nreported it is revising its IRM Plan, which will cover FYs 2009 through 2014. SSA\xe2\x80\x99s IRM\nPlan has been formulated to be a cornerstone of the Agency's IT investment strategy. It\nis a framework and a guiding principle assisting the Agency in making effective\ndecisions regarding the delivery of technology for employees, the public and\nbusinesses.\n\nThe purpose of SSA\xe2\x80\x99s IRM Plan is to\n\n\xef\x82\xb7         describe how IRM activities help accomplish SSA\xe2\x80\x99s mission, goals and objectives;\n\xef\x82\xb7         ensure IRM decisions are integrated with organizational planning, budget,\n          procurement, financial management, human resources management and program\n          decisions;\n\xef\x82\xb7         present an overview of SSA\xe2\x80\x99s Enterprise Architecture (EA) 4 that describes and\n          documents both the current and desired relationships among business and\n          management processes and IT; and\n\n\n1\n    44 United States Code (U.S.C.) \xc2\xa7 3506(b)(2).\n2\n    OMB Circular A-130, Management of Federal Information Resources, 8.b.(1)(a).\n3\n    Id.\n4\n EA is the explicit description and documentation of the current and desired relationships among\nbusiness and management processes and IT.\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                    D-1\n\x0c\xef\x82\xb7   serve as a key component of SSA\xe2\x80\x99s IT capital planning and investment control\n    (CPIC) 5 process.\n\nThe IRM Plan defines strategies for achieving a variety of objectives, such as operating\nand maintaining IT infrastructure, securing data and IT resources, maintaining and\nenhancing existing applications, as well as building and/or acquiring new applications.\n\nIT Vision 2009-2014\n\nSSA\xe2\x80\x99s IT Vision covers a 6-year period from FYs 2009 through 2014. In this document,\nthe Agency outlined its strategic plan to provide 21st century services to the American\npeople by reshaping policies and procedures to take maximum advantage of\ntechnology.\n\nThe Agency acknowledges that its future business process depends on effective\ntechnology. Therefore, the Agency must perform an overall assessment of its technical\ncapabilities and plan for the appropriate use of new technologies. One of the\nchallenges for SSA is to be aware of emerging technology and gauge if and when to\nadopt it. SSA's IT Vision document outlines the result of this assessment, the three\ninterdependent strategic imperatives and the IT strategies for each.\n\nThe Agency's strategic principle is to use innovative technologies with a robust\ninfrastructure to meet the changing needs of the American public. SSA reported it\nneeds significant investment in IT for the following three imperatives.\n\n\xef\x82\xb7 Strategic Imperative 1: Changing how we do business\n    \xef\x83\xbc Actively seek input from the public, business partners, and internal users to\n      define and optimize business processes.\n    \xef\x83\xbc Ensure the software applications critical to the services we provide use\n      streamlined and modern technologies that support a greater reliance on a self-\n      service business model.\n    \xef\x83\xbc Maintain a robust data exchange architecture that fully supports the growing\n      demand for information sharing.\n\n\n\n\n5\n  CPIC is defined and mandated by the Clinger-Cohen Act, Public Law Number 104-106, Division E,\nSection 5122, 40 U.S.C. \xc2\xa7 11302 and OMB Circular No. A-130, Management of Federal Information\nResources, 8.b.(1). It is a process for maximizing the value and assessing the risks of IT acquisitions.\nAlso, it is a management process for the identification, selection, control and evaluation of investments in\ninformation resources. Further, it is a decision making process for ensuring IT investments integrate\nstrategic planning, budgeting, procurement and the management of IT in support of Agency mission and\nbusiness needs.\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                          D-2\n\x0c\xef\x82\xb7 Strategic Imperative 2: Building a stronger IT foundation\n    \xef\x83\xbc Protect the sensitive information we maintain on every American and ensure that,\n      in a disaster, we can fully recover our systems and continue to provide service on\n      which our country depends.\n    \xef\x83\xbc Provide secure and continuous critical systems availability to employees,\n      citizens, Government agencies and businesses.\n    \xef\x83\xbc Gain efficiencies and cost savings by offering high quality electronic services.\n    \xef\x83\xbc Protect the environment and conserve energy in our use of technology.\n\n\xef\x82\xb7 Strategic Imperative 3: Revamping software and databases\n    \xef\x83\xbc Engineer software applications to provide flexibility for future expansion.\n    \xef\x83\xbc Migrate to highly shareable and cost-effective databases and ensure the\n      accuracy, privacy and integrity of our data.\n    \xef\x83\xbc Support the transition from Common Business Oriented Language to more\n      robust Web technology.\n\nThe IT Vision provides an estimated implementation timeline for major milestones\nassociated with the Agency's three strategic imperatives. Although the timeline only\ncovers FYs 2009 through 2014, SSA reported the initiatives typically span beyond this\nperiod. The Agency anticipates it will take between 5 and 10 years to plan, develop and\nimplement these changes.\n\nFY 2009-2010 Agency IT Plan\n\nThe Agency\xe2\x80\x99s current IT Plan covers FYs 2009 and 2010. The Plan documents the\nallocation of the Agency\xe2\x80\x99s IT resources within its eight portfolios. 6 The primary factors\nthat drive the focus of the Agency\xe2\x80\x99s IT investment are the CPIC, Agency goals and\nobjectives, President\xe2\x80\x99s Management Agenda, and higher monitoring authorities. 7\n\n\n6\n SSA\xe2\x80\x99s nine portfolios are (1) Core Services, (2) Disability Process, (3) Hearings Process, (4) High\nPerforming Workforce, (5) Program Integrity, (6) Savings and Solvency, (7) SSA Infrastructure, (8) Social\nSecurity Number Process, and (9) Reimbursable Work. FY 2009-2010 Agency IT Plan, page 1.\n7\n Higher monitoring authorities refers to external entities mandating or recommending changes, such as\nCongress, auditors and the courts.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                       D-3\n\x0c                                                                                  Appendix E\n\nPrimary Mission Essential Functions, Mission\nEssential Functions and Supporting Activities1\nMission Essential Functions (MEF) are the limited set of department and agency-level\nGovernment functions that must be continued after a disruption of normal activities.\nPrimary Mission Essential Functions (PMEF) are a subset of the MEFs that directly\nsupport the eight functions the President and national leadership will focus on to lead\nand sustain the Nation during a catastrophic emergency. 2 Federal Continuity Directive\n1 3 requires the incorporation of continuity requirements into the daily operations of all\nagencies to ensure seamless and immediate continuation of PMEF capabilities,\nallowing critical Government functions and services to remain available to the public.\n\nThe Social Security Administration (SSA) has identified the following as its PMEFs,\nMEFs, and supporting activities.\n\nPMEFs\n\n1. Enumeration:\n      a. Assigning Social Security numbers (SSN)\n      b. Issuing replacement SSN cards\n      c. Enumeration at birth\n      d. Verifying SSNs\n      e. Providing SSNs to the Internal Revenue Service, law enforcement and border\n          patrol\n2. Administering Title II and XVI Claims for Benefits and Post-Entitlements for disability\n   and retirement:\n      a. Claims intake\n      b. Eligibility determinations\n      c. Evidence collection\n      d. Initial payments\n      e. Certifying payments to the Department of the Treasury\n\n1\n Provided by the Offices of Budget, Finance and Management, Facilities Management, and Emergency\nPreparedness.\n2\n Department of Homeland Security, FEMA [Federal Emergency Management Agency] National\nContinuity Programs, Federal Continuity Directive 2, Federal Executive Branch Mission Essential\nFunction and Primary Mission Essential Function Identification and Submission Process, February 2008,\nAnnex A.\n3\n Department of Homeland Security, FEMA [Federal Emergency Management Agency] National\nContinuity Programs, Federal Continuity Directive 1, Federal Executive Branch National Continuity\nProgram and Requirements, February 2008, Section 6.\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                     E-1\n\x0c       f.   Enabling the post-entitlement process\n       g.   Processing changes of information\n       h.   Performing benefit re-computations\n       i.   Initiating overpayment recovery\n       j.   Executing appeals process\n\n   MEFs\n\n3. Earnings\n       a. Receiving earnings reports\n       b. Establishing and maintaining earnings records\n       c. Determining work history and calculating benefit payment amounts\n       d. Validating and updating the Master Earnings File\n4. Informing the Public\n       a. Managing the national 800-number\n       b. Maintaining the SSA website\n       c. Staffing Internet requests\n       d. Handling press relations\n       e. Providing educational materials\n5. Information and Technology Management\n       a. Maintaining the National Computer Center (NCC)\n       b. Maintaining a viable NCC Disaster Recovery Plan and the capability to\n          implement it\n       c. Maintaining the information technology infrastructure including hardware\n          (processors); system software; and telecommunications at SSA Headquarters\n          and the Emergency Relocation Site/Alternate Facility\n6. Administrative Management\n       a. Performing payroll operations\n       b. Maintaining critical employee health\n       c. Support and emergency services\n       d. Exercising hiring authority\n       e. Fulfilling labor management agreements\n       f. Providing workload tracking and control support\n       g. Performing financial operations\n       h. Maintaining building operations\n7. Management Information\n       a. Providing executive management reports and statistical reports from\n          operational data stores\n8. Performance of SSA\xe2\x80\x99s Responsibilities Under the National Response Plan (NRP)\n       a. Developing and implementing a strategy for the integration of the National\n          Incident Management System into continuity of operations (COOP) and\n          emergency response plans, policies and procedures\n       b. Establish and maintain a roster of trained personnel to perform SSA\xe2\x80\x99s NRP\n          functions\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                  E-2\n\x0c9. Performance of SSA\xe2\x80\x99s COOP Responsibilities\n      a. Maintaining contact with other departments, agencies and Federal\n         organizations, and the capability and plan to transfer the Headquarters COOP\n         missions to another SSA component, if necessary.\n\nThe detailed components of all these critical workloads can change as\nnew/enhanced/repaired SSA applications, systems and hardware are introduced into\nthe information technology architecture.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                    E-3\n\x0c                                                                                                                                          Appendix F\n\nLockheed Martin Recommendations\n                                                                             Status Per Prior Office of the                    Status Per Our Current Review\n    Issue and       Lockheed Martin            LM                          Inspector General (OIG) Report 1                           As of June 2009\n      Status          (LM) Finding        Recommendation                    Agency                     OIG Review               Agency              OIG Review\n                                                                           Response                                            Response\nNational           The NCC feeder         Replace the feeder    The Social Security               Verified a contract    The feeder cable       Confirmed the\n                           2\nComputer           cables were            cables immediately.   Administration (SSA) awarded      had been awarded to    replacement project    permanent feeder\nCenter (NCC)       identified as the                            a contract to replace the         replace the feeder     has been completed.    cables had been\nFeeder             most apparent                                feeder cables in September        cables and observed                           installed.\nReplacement        single point of                              2008. As of March 2009, the       temporary cables\n                   failure. 3                                   Agency reported the new           being installed.\nCompleted                                                       feeder cables were installed,\n                                                                tested, energized and in use.\nFederal Pacific    The FPE panel          Replace the FPE       General Services                  Verified the project   The plans for the Riser   SSA officials\nElectric (FPE) 4   breakers most          panels                Administration (GSA)              design was complete.   Project remain on         stated, \xe2\x80\x9c. . . the\nPanel              likely will not open   immediately.          completed a design for the                               schedule. The             actual award date\nReplacement        should an \xe2\x80\x9cover                              Riser Project. SSA expected                              contract was awarded      was May 20, 2009.\xe2\x80\x9d\n                            5\n(Riser Project)    current\xe2\x80\x9d occur.                              GSA to award a contract by                               in May 2009.\n                                                                March 2009. The project was\nOngoing                                                         scheduled to be completed\n                                                                over 3 holiday weekends in\n                                                                October 2009, February 2010\n                                                                and May 2010. The\n                                                                contingency date is July 2010.\n\n\n1\n    SSA OIG, The Social Security Administration\xe2\x80\x99s Ability to Address Future Processing Requirements (A-44-09-19098), March 2009.\n2\n    Feeder cables are used to supply power to the NCC and Utility Building.\n3\n    A single-point-of-failure is a point (electrical equipment, cables, etc.) on a power system that can cause downtime if a failure or fault occurs.\n4\n FPE is a company that manufactured a variety of electrical equipment. During the original construction of the NCC, FPE panels and breakers\nwere installed.\n5\n  Circuit breakers cut off power when the electrical wiring has too much current flowing through it. An \xe2\x80\x9cover current\xe2\x80\x9d is a condition in an electrical\ncircuit when the current in the circuit exceeds the rated capacity of that circuit or the equipment connected to that circuit.\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                                                                              F-1\n\x0c                                                                            Status Per Prior Office of the                      Status Per Our Current Review\n    Issue and     Lockheed Martin            LM                           Inspector General (OIG) Report 1                               As of June 2009\n      Status        (LM) Finding        Recommendation                     Agency                      OIG Review                 Agency               OIG Review\n                                                                          Response                                              Response\nUninterruptible   The UPS service       Explore three         The Agency is implementing         Verified SSA received   The extension of the      Verified a contract\nPower Supply      contract expires in   options involving     the first and second options.      a list of UPS           maintenance contract      had been awarded\n(UPS) 6 System    September 2012.       (1) extending the     Specifically, SSA received a       replacement parts.      will not occur until      in April 2009 to\nReplacement       The UPS               maintenance           list of UPS replacement parts      When purchased,         2012 in conjunction       purchase the UPS\n                  manufacturer has      contract;             which it expects to purchase in these parts will be        with the expiration of    replacement parts.\nOngoing           warned that, at       (2) stockpiling       Fiscal Year (FY) 2009. The         used to support an      the existing\n                  present, failure of   replacement           contractor agreed to perform       extension of the UPS    maintenance contract.\n                  any large             equipment and         maintenance through FY 2015        maintenance contract    The contract for the\n                  component cannot      hiring personnel to   provided SSA purchased the         through FY 2015.        replacement parts was\n                  be repaired.          maintain the UPS      recommended replacement                                    awarded in April 2009.\n                                        system; and           parts. The third option was                                The replacement of the\n                                        (3) installing at     only necessary if the Agency                               UPS is not applicable.\n                                        least two new         did not receive funding for a\n                                        systems.              new Data Center.\n\n\n\n\n6\n A UPS, also known as a battery back-up system, provides emergency power to connected equipment by supplying power from a separate\nsource when utility power is not available. The UPS consists of three parts: (1) a battery system that supplies power in the event of a power\noutage, (2) equipment that regulates and converts the power, and (3) a notification/control system that monitors the condition of the system and\nproduces alerts when conditions are not \xe2\x80\x9cnormal.\xe2\x80\x9d\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                                                                                F-2\n\x0c                                                                       Status Per Prior Office of the                         Status Per Our Current Review\n  Issue and    Lockheed Martin            LM                         Inspector General (OIG) Report 1                                 As of June 2009\n    Status       (LM) Finding        Recommendation                   Agency                     OIG Review                     Agency              OIG Review\n                                                                     Response                                                 Response\nRoof           The membrane          Repair the roof     GSA completed a roof design        Verified a Request for     The contract was         Verified a contract\nMembrane and   and stone roofs       membrane and        in FY 2008 and expected to         Proposal for the NCC       awarded for the roof     had been awarded\nRoof Drains    above both the        clear the roof      award a contract in March          warehouse roof             replacement project in   in March 2009 to\n               NCC and its Utility   drains as soon as   2009. The NCC warehouse            replacement was            March 2009. The          replace the NCC\nOngoing        Building provide      possible.           roof will not have stones on       issued in May 2008, a      Agency continues to      warehouse roof.\n               an environment                            top. Also, the Utility Building    design was                 perform inspections\n               for dirt and seeds                        roof was recently replaced with completed in                  and maintenance on\n               to collect and                            a roof that does not have          September 2008, and        all roofs and drains as\n               grow into plants                          stones on top. Therefore, the      a solicitation for offer   part of the scheduled\n               with extensive root                       Agency believes the issue of       was issued in              preventive\n               systems.                                  \xe2\x80\x9can environment of dirt and        November 2008.             maintenance program.\n                                                         seeds to collect\xe2\x80\x9d has been         Also, we confirmed\n                                                         eliminated.                        the Agency inspects\n                                                                                            the roof as part of its\n                                                         Further, SSA reported the          preventive\n                                                         main NCC roof was installed in maintenance\n                                                         1994 and does have stones on schedule. In addition,\n                                                         top. SSA staff removed all         we verified the Utility\n                                                         growth, cleared all drains and     Building roof was\n                                                         increased the frequency of         replaced in Calendar\n                                                         inspections on the roofs for       Year 2007.\n                                                         early identification of possible\n                                                         growth. Agency staff stated\n                                                         there are currently no leaks on\n                                                         the main NCC roof.\n\n                                                         The Agency believes the\n                                                         replacement of the NCC\n                                                         warehouse and Utility Building\n                                                         roofs and increased inspection\n                                                         of the main NCC roof and\n                                                         drains addresses all the issues\n                                                         in the LM study.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                                                                             F-3\n\x0c                                                                             Status Per Prior Office of the                      Status Per Our Current Review\n  Issue and       Lockheed Martin           LM                             Inspector General (OIG) Report 1                               As of June 2009\n    Status          (LM) Finding       Recommendation                       Agency                      OIG Review                Agency                OIG Review\n                                                                          Response                                               Response\nLightning         The roof lightning   Repair the lightning   Completed repairs on the NCC Observed some                   In March 2009, GSA       Verified a contract\nProtection Grid   protection grid      protection grid        and Utility Building roofs. The     corrections the          awarded a design         was awarded in\n                  was damaged on       immediately.           Utility Building roof lightning     Agency made to           contract for architect   March 2009 for the\nOngoing           the NCC and its                             protection system was               repair the damage to     and engineering          design of the\n                  Utility Building.                           certified. The lightning            the lightning            services.                lightning protection\n                                                              protection system will be           protection grid. Also                             system for the\n                                                              reevaluated when the                verified an inspection                            NCC.\n                                                              warehouse roof repairs are          was completed and\n                                                              completed.                          the Utility Building\n                                                                                                  roof was certified in\n                                                                                                  October 2007.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                                                                                 F-4\n\x0c                                                                              Appendix G\n\nRecurring Infrastructure Issues at the National\nComputer Center and its Utility Building\nRoof and Lightning Protection Grid\n    \xef\x82\xb7   In 1989, about 9 years after the National Computer Center (NCC) was occupied,\n        the General Services Administration (GSA) issued a Building Engineering Report\n        (BER) that identified the need to replace the roof on the Utility Building. 1\n    \xef\x82\xb7   In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER\n        that identified the need to replace the Utility Building and NCC roof.\n    \xef\x82\xb7   In 2001, approximately 21 years after the NCC was occupied, GSA issued a BER\n        that identified the need to replace the Utility Building and NCC warehouse roof.\n    \xef\x82\xb7   In 2007, about 27 years after the NCC was occupied, GSA issued a BER that\n        identified the need to repair the roof and lightning protection grid on the NCC.\n    \xef\x82\xb7   In 2008, about 28 years after the NCC was occupied, Lockheed Martin (LM)\n        issued a Feasibility Study that identified the need to repair the roof and lightning\n        protection grid on the NCC.\n\n        SSA reported the main NCC roof was installed in 1994 and the Utility Building\n        roof was replaced in Calendar Year 2007. The replacement of the NCC\n        warehouse roof is in-process. The lightning protection system will be addressed\n        as part of the NCC warehouse roof replacement project.\n\nHeating, Ventilation and Air Conditioning (HVAC) System\n    \xef\x82\xb7   In 1989, about 9 years after the NCC was occupied, GSA issued a BER that\n        identified the need to replace chillers and pumps.\n    \xef\x82\xb7   In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER\n        that identified the need to modify existing and install new air handling units.\n    \xef\x82\xb7   In 2001, about 21 years after the NCC was occupied, GSA issued a BER that\n        reported the need to replace all air handling units because they had reached the\n        end of their useful life.\n    \xef\x82\xb7   Also in 2001, GSA issued an HVAC system report that identified numerous\n        problems, such as damaged air handling equipment, poor indoor air quality, and\n        maintenance problems because of equipment failing or not functioning properly.\n    \xef\x82\xb7   In 2007, about 27 years after the NCC was occupied, GSA issued a BER that\n        reported unacceptable indoor air quality and aged and outdated equipment.\n\n\n\n1\n GSA periodically performs BERs on Federal Buildings. These reports document the condition and\ndeficiencies of a building.\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                  G-1\n\x0c    \xef\x82\xb7   In 2008, about 28 years after the NCC was occupied, LM issued a Feasibility\n        Study that reported potential mold, poor indoor air quality, insufficient cooling in\n        the Data Center, and identified the need to replace the HVAC system.\n    \xef\x82\xb7   In 2009, approximately 29 years after the NCC was occupied, GSA issued a\n        Feasibility Study that reported the system was at the end of its useful life.\n\n        Agency representatives stated the equipment has been well-maintained and\n        upgraded over the years. For example, the Agency reported it made chiller plant\n        renovations in 1998 and air handler upgrades in 2003. Most recently, SSA\n        reported budget requests were submitted for air handler unit repairs in 2007 and\n        for cooling and water pumps in 2008. 2 In addition, the Agency is performing\n        regular maintenance on HVAC equipment, including air handler units throughout\n        the NCC.\n\nFederal Pacific Electric (FPE) Panels 3\n    \xef\x82\xb7   In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER\n        that identified the need to replace the FPE panels.\n    \xef\x82\xb7   In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER\n        that reported the FPE panels were obsolete.\n    \xef\x82\xb7   In 2008, approximately 28 years after the NCC was occupied, LM issued a\n        Feasibility Study that identified the need to replace the FPE panels.\n    \xef\x82\xb7   In 2009, approximately 29 years after the NCC was occupied, GSA issued a\n        Feasibility Study that identified the need to replace the FPE panels.\n        The Agency reported in the early 1990s, additional circuit breakers had been\n        installed in FPE breaker panels because additional electrical capacity was\n        needed for the Data Center equipment. Agency staff acknowledged the added\n        breakers were not installed in compliance with the National Electric Code.\n        However, the Riser Project is expected to resolve this issue. SSA reported that it\n        sent GSA $9.7 million in FY 2005 in a Reimbursable Work Authorization 4 for the\n        Riser Project. However, due to extensive design and planning, the Project has\n        not yet been completed. SSA officials stated the contract was awarded in May\n        2009.\n\n\n\n\n2\n Although the Agency provided budget information, we did not verify whether these projects had been\ncompleted.\n3\n FPE is a company that manufactured a variety of electrical equipment. During the original construction\nof the NCC, FPE panels and breakers were installed.\n4\n A reimbursable work authorization, GSA Form 2957, is used by SSA to obligate funds for services from\nGSA. According to SSA, the RWA for the riser project does not expire until September 30, 2010. The\nproject is scheduled to be completed before the funding expiration date.\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                       G-2\n\x0cUninterruptible Power Supply (UPS) 5\n      \xef\x82\xb7   In 2001, approximately 21 years after the NCC was occupied, GSA issued a BER\n          that identified the need to replace the UPS batteries within the following 5 years\n          as they exceeded their useful life.\n      \xef\x82\xb7   In 2008, approximately 28 years after the NCC was occupied, LM issued a\n          Feasibility Study that identified the need to replace the UPS system as the failure\n          of any large component could no longer be repaired.\n      \xef\x82\xb7   In 2009, approximately 29 years after the NCC was occupied, GSA issued a\n          Feasibility Study that reported the UPS suffered a failure and was at the end of\n          its useful life.\n\n          The Agency reported a UPS hot tie 6 installation occurred in 1999 that provides\n          redundancy for power requirements on the critical loads. Most recently, a\n          contract was awarded in April 2009 for the purchase of UPS replacement parts,\n          which will be used to support an extension of the UPS maintenance contract\n          through FY 2015.\n\nFire Protection\n      \xef\x82\xb7   In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER\n          that identified the need to replace missing sprayed-on fireproofing.\n      \xef\x82\xb7   In 2001, approximately 21 years after the NCC was occupied, GSA issued a BER\n          that identified the need to repair damaged and missing fireproofing.\n      \xef\x82\xb7   In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER\n          that reported the fire protection system was not in compliance with applicable\n          code and the fire sprinkler system was worn, damaged, and corroded.\n      \xef\x82\xb7   In 2008, approximately 28 years after the NCC was occupied, LM issued a\n          Feasibility Study that identified the need to install a fire suppression system.\n      \xef\x82\xb7   In 2009, approximately 29 years after the NCC was occupied, GSA issued a\n          Feasibility Study that reported the Agency\xe2\x80\x99s current sprinkler system, if activated,\n          would be detrimental to the IT equipment and electrical infrastructure in the Data\n          Center.\n\n          Although the Agency plans to defer the installation of a fire suppression system,\n          SSA reported there have been several budget requests in this area. Specifically,\n          requests for a Utility Building fire protection project in 2005, a high sensitivity\n          smoke alarm in 2006, a fire protection upgrade in 2007, and a fire alarm\n\n\n\n5\n  A UPS, also known as a battery back-up system, provides emergency power to connected equipment\nby supplying power from a separate source when utility power is not available. The UPS consists of three\nparts: (1) a battery system that supplies power in the event of a power outage, (2) equipment that\nregulates and converts the power, and (3) a notification/control system that monitors the condition of the\nsystem and produces alerts when conditions are not \xe2\x80\x9cnormal.\xe2\x80\x9d\n6\n    A system that transfers the electrical load of one substation to another without an outage.\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                       G-3\n\x0c          modification in 2007 and 2008. 7 Additionally, we confirmed SSA installed an\n          FM200 within the tape storage silos in the Data Center.\n\nFacility Storage\n      \xef\x82\xb7   In 2001, approximately 21 years after the NCC was occupied, GSA issued a\n          HVAC system report that identified the need to clean out mechanical equipment\n          rooms being used for storage.\n      \xef\x82\xb7   In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER\n          that identified the need to remove stored items from electrical closets and work\n          areas and separate battery rooms from storage rooms.\n      \xef\x82\xb7   In 2008, approximately 28 years after the NCC was occupied, LM issued a\n          Feasibility Study that reported adequate storage does not exist and therefore\n          items are improperly stored in closets and mechanical rooms.\n\nPlumbing\n      \xef\x82\xb7   In 1989, about 9 years after the NCC was occupied, GSA issued a BER that\n          identified the need to provide plumbing fixtures for handicapped use.\n      \xef\x82\xb7   In 1994, approximately 14 years after the NCC was occupied, GSA issued a BER\n          that identified the need to replace all existing plumbing fixtures including\n          handicapped accessible fixtures.\n      \xef\x82\xb7   In 2007, approximately 27 years after the NCC was occupied, GSA issued a BER\n          that identified aged, worn, and noncompliant plumbing fixtures.\n      \xef\x82\xb7   In 2008, approximately 28 years after the NCC was occupied, LM issued a\n          Feasibility Study that reported corrosion of pipes, build-ups in pipes and pipe\n          failures in the facility were evident. Also, LM reported the plumbing system was\n          over 30 years old.\n      \xef\x82\xb7   In 2009, approximately 29 years after the NCC was occupied, GSA issued a\n          Feasibility Study that reported the plumbing system is near the end of its useful\n          life and replacement will be required in the near future. Further, GSA reported an\n          insufficient number of plumbing fixtures based on increased personnel.\n      The Agency reported plumbing is being managed under its normal maintenance\n      program. SSA reported there have been several budget requests for plumbing\n      related items. For example, a request to upgrade the cathodic 8 in 2004 and replace\n      piping in 2006. 9\n\n\n7\n    See Footnote 2.\n8\n    Cathodic protection is a method for preventing or controlling the corrosion of metal surfaces.\n9\n    See Footnote 2.\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)                                      G-4\n\x0c                                                                  Appendix H\n\n\nUptime Institute\xe2\x80\x99s Data Center Tier Classifications\nand Performance Standards\n\n\n\n\nSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)           H-1\n\x0cSSA\xe2\x80\x99s Information Technology Strategic Planning (A-44-09-29120)   H-2\n\x0c                          DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"